FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: low

`sweepUnclaimedBonus` + moderator re-flag permanently deflates CORRUPTED whitehat bounty

Author Revealed upon completion

Root + Impact

The named whitehat attacker permanently loses part of their bounty entitlement. Value that should be claimable by the whitehat has already been transferred to recoveryAddress and cannot be recovered.

Description

  • When a pool resolves as CORRUPTED with good-faith, the moderator names a whitehat attacker entitled to claim the full pool as a bounty within 180 days. The bounty entitlement (bountyEntitlement) is set at flagOutcome time from snapshotTotalStaked + snapshotTotalBonus.

  • sweepUnclaimedBonus() intentionally does NOT set claimsStarted (line 503 comment). After a SURVIVED flag with riskWindowStart == 0, anyone can sweep the entire bonus to recoveryAddress, decrementing live totalBonus to 0. If the moderator then re-flags to CORRUPTED good-faith (re-flag window still open because claimsStarted is false), the new snapshot captures totalBonus = 0, permanently reducing bountyEntitlement. The swept value has already been transferred to recoveryAddress and cannot be recovered.

// ConfidencePool.sol:sweepUnclaimedBonus — lines 499-506
@> if (totalEligibleStake == 0 || riskWindowStart == 0) {
@> totalBonus -= amount <= totalBonus ? amount : totalBonus; // live totalBonus decremented
@> }
@> // Intentionally does NOT set claimsStarted. // re-flag window stays open after sweep
stakeToken.safeTransfer(recoveryAddress, amount);
// ConfidencePool.sol:flagOutcome — lines 354-362
@> if (outcome != PoolStates.Outcome.UNRESOLVED && claimsStarted) revert OutcomeAlreadySet();
// re-flag allowed when claimsStarted is false — sweep didn't set it
@> snapshotTotalBonus = totalBonus; // captures deflated totalBonus (0 after sweep)
@> bountyEntitlement = willBeGoodFaithCorrupted
@> ? snapshotTotalStaked + snapshotTotalBonus // whitehat bounty permanently reduced
@> : 0;

Risk

Likelihood:

Reason 1 — A moderator who first flags SURVIVED on a CORRUPTED registry (out-of-scope breach assessment) and later re-assesses as in-scope CORRUPTED will trigger this path. The sweep can occur at any point between the two flags by any caller.
Reason 2 — The sweep is permissionless and `sweepUnclaimedBonus` accepts SURVIVED outcome. When `riskWindowStart == 0`, the entire bonus is unreserved and sweepable. No attacker coordination is needed.

Impact:

Impact 1 — The named whitehat permanently loses the swept bonus amount from their bounty entitlement. The value has already been transferred to `recoveryAddress` and cannot be recovered.
Impact 2 — The `bountyEntitlement` accounting field diverges from the intended "full pool value" semantics, creating a brittle state for off-chain indexers and whitehat expectations.

Proof of Concept

function test_M2_SweepReFlagDeflatesBountyEntitlement() public {
uint256 stakeAmount = 100 * ONE;
uint256 bonusAmount = 50 * ONE;
_stake(alice, stakeAmount);
_stake(bob, stakeAmount);
_contributeBonus(carol, bonusAmount);
// Registry goes directly to CORRUPTED (no active-risk → rws==0)
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
assertEq(pool.riskWindowStart(), 0);
// Moderator flags SURVIVED (out-of-scope breach assessment)
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
// Anyone sweeps unclaimed bonus → recoveryAddress, totalBonus decremented
uint256 recoveryBefore = token.balanceOf(recovery);
pool.sweepUnclaimedBonus();
uint256 swept = token.balanceOf(recovery) - recoveryBefore;
assertEq(swept, bonusAmount);
assertEq(pool.totalBonus(), 0);
assertFalse(pool.claimsStarted()); // re-flag window still open
// Moderator re-assesses → in-scope CORRUPTED → re-flags good-faith
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, whitehat);
// Whitehat bounty permanently deflated
uint256 bounty = pool.bountyEntitlement();
uint256 expectedFull = stakeAmount * 2 + bonusAmount;
assertEq(bounty, stakeAmount * 2); // bonus missing from entitlement
assertLt(bounty, expectedFull); // whitehat lost 50e18
}

Forge output:

[PASS] test_M2_SweepReFlagDeflatesBountyEntitlement()
bountyEntitlement: 200000000000000000000
Would have been: 250000000000000000000
Whitehat lost: 50000000000000000000

Recommended Mitigation

Snapshot the bonus pool values only on the first flag, not on re-flag. This prevents a re-flag from capturing totalBonus after it has been decremented by a sweep, keeping bountyEntitlement consistent with the original resolution state.

function flagOutcome(PoolStates.Outcome newOutcome, bool goodFaith_, address attacker_)
external onlyModerator
{
+ bool isFirstFlag = outcome == PoolStates.Outcome.UNRESOLVED;
// ... validation ...
outcome = newOutcome;
goodFaith = goodFaith_;
attacker = attacker_;
+ if (isFirstFlag) {
snapshotTotalStaked = totalEligibleStake;
snapshotTotalBonus = totalBonus;
snapshotSumStakeTime = sumStakeTime;
snapshotSumStakeTimeSq = sumStakeTimeSq;
+ }

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!