Root + Impact
The named whitehat attacker permanently loses part of their bounty entitlement. Value that should be claimable by the whitehat has already been transferred to recoveryAddress and cannot be recovered.
Description
-
When a pool resolves as CORRUPTED with good-faith, the moderator names a whitehat attacker entitled to claim the full pool as a bounty within 180 days. The bounty entitlement (bountyEntitlement) is set at flagOutcome time from snapshotTotalStaked + snapshotTotalBonus.
-
sweepUnclaimedBonus() intentionally does NOT set claimsStarted (line 503 comment). After a SURVIVED flag with riskWindowStart == 0, anyone can sweep the entire bonus to recoveryAddress, decrementing live totalBonus to 0. If the moderator then re-flags to CORRUPTED good-faith (re-flag window still open because claimsStarted is false), the new snapshot captures totalBonus = 0, permanently reducing bountyEntitlement. The swept value has already been transferred to recoveryAddress and cannot be recovered.
@> if (totalEligibleStake == 0 || riskWindowStart == 0) {
@> totalBonus -= amount <= totalBonus ? amount : totalBonus;
@> }
@>
stakeToken.safeTransfer(recoveryAddress, amount);
@> if (outcome != PoolStates.Outcome.UNRESOLVED && claimsStarted) revert OutcomeAlreadySet();
@> snapshotTotalBonus = totalBonus;
@> bountyEntitlement = willBeGoodFaithCorrupted
@> ? snapshotTotalStaked + snapshotTotalBonus
@> : 0;
Risk
Likelihood:
Reason 1 — A moderator who first flags SURVIVED on a CORRUPTED registry (out-of-scope breach assessment) and later re-assesses as in-scope CORRUPTED will trigger this path. The sweep can occur at any point between the two flags by any caller.
Reason 2 — The sweep is permissionless and `sweepUnclaimedBonus` accepts SURVIVED outcome. When `riskWindowStart == 0`, the entire bonus is unreserved and sweepable. No attacker coordination is needed.
Impact:
Impact 1 — The named whitehat permanently loses the swept bonus amount from their bounty entitlement. The value has already been transferred to `recoveryAddress` and cannot be recovered.
Impact 2 — The `bountyEntitlement` accounting field diverges from the intended "full pool value" semantics, creating a brittle state for off-chain indexers and whitehat expectations.
Proof of Concept
function test_M2_SweepReFlagDeflatesBountyEntitlement() public {
uint256 stakeAmount = 100 * ONE;
uint256 bonusAmount = 50 * ONE;
_stake(alice, stakeAmount);
_stake(bob, stakeAmount);
_contributeBonus(carol, bonusAmount);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
assertEq(pool.riskWindowStart(), 0);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
uint256 recoveryBefore = token.balanceOf(recovery);
pool.sweepUnclaimedBonus();
uint256 swept = token.balanceOf(recovery) - recoveryBefore;
assertEq(swept, bonusAmount);
assertEq(pool.totalBonus(), 0);
assertFalse(pool.claimsStarted());
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, whitehat);
uint256 bounty = pool.bountyEntitlement();
uint256 expectedFull = stakeAmount * 2 + bonusAmount;
assertEq(bounty, stakeAmount * 2);
assertLt(bounty, expectedFull);
}
Forge output:
[PASS] test_M2_SweepReFlagDeflatesBountyEntitlement()
bountyEntitlement: 200000000000000000000
Would have been: 250000000000000000000
Whitehat lost: 50000000000000000000
Recommended Mitigation
Snapshot the bonus pool values only on the first flag, not on re-flag. This prevents a re-flag from capturing totalBonus after it has been decremented by a sweep, keeping bountyEntitlement consistent with the original resolution state.
function flagOutcome(PoolStates.Outcome newOutcome, bool goodFaith_, address attacker_)
external onlyModerator
{
+ bool isFirstFlag = outcome == PoolStates.Outcome.UNRESOLVED;
// ... validation ...
outcome = newOutcome;
goodFaith = goodFaith_;
attacker = attacker_;
+ if (isFirstFlag) {
snapshotTotalStaked = totalEligibleStake;
snapshotTotalBonus = totalBonus;
snapshotSumStakeTime = sumStakeTime;
snapshotSumStakeTimeSq = sumStakeTimeSq;
+ }