For a good-faith CORRUPTED resolution, the pool snapshots the full pool as the named whitehat's bounty and reserves it for CORRUPTED_CLAIM_WINDOW (180 days). Before any claim starts settlement, the moderator may call flagOutcome again to correct an outcome or the named attacker.
This behaviour is an explicit protocol commitment. docs/DESIGN.md §4 says a moderator may re-flag before the first claim to fix a typo in the outcome or attacker, and expressly identifies the first claim—not a timer—as the event that ends the correction window. DESIGN.md §12 further says the pool is reserved for the named whitehat for 180 days.
However, the contract anchors corruptedClaimDeadline permanently to the first-ever good-faith CORRUPTED flag. A later, valid re-flag changing an incorrectly named attacker to the actual whitehat keeps that original deadline. Once 180 days have elapsed, the correction is accepted but the newly named whitehat immediately reverts with ClaimWindowExpired; any caller can then sweep the whole bounty to recoveryAddress.
This directly contradicts the documented correction guarantee and bounty reservation: the protocol accepts the corrected beneficiary, yet gives that beneficiary no usable claim period.
Likelihood:
A good-faith CORRUPTED resolution initially names an incorrect, inaccessible, or disputed attacker address and remains unclaimed through the 180-day bounty period.
The moderator subsequently uses the explicitly supported pre-claim correction path to replace that address with the actual whitehat; the correction transaction itself succeeds even though the inherited deadline is already expired.
Impact:
The actual whitehat permanently loses its entire snapshotTotalStaked + snapshotTotalBonus bounty despite being the address recorded by the corrected, accepted outcome.
Any permissionless caller can immediately call sweepUnclaimedCorrupted, sending the entire pool to recoveryAddress; the corrected whitehat cannot prevent this by claiming first.
Create a new test file: test/unit/ConfidencePool.semantic.t.sol
Add the code below:
Run the test:
The test passes: the corrected address is stored, its claim reverts, and the full 100-token bounty is swept to recoveryAddress.
Start a usable bounty window for the beneficiary of a successful correction. The protocol can preserve the existing anti-griefing objective by bounding the number of beneficiary corrections in its policy; it should not silently accept a correction that has no economic effect.
If the intended policy is instead an absolute, non-extendable deadline, the contract should reject attacker-address corrections after that deadline and DESIGN.md should disclose that limitation. It must not accept a corrected whitehat while making its claim impossible.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.