DESIGN.md §3 states that a staker depositing during UNDER_ATTACK has their bonus "crushed to ~zero," since entry is floored at riskWindowStart ≈ now. This assumes riskWindowStart is sealed close to the true attack start. But if nobody interacts with the pool when UNDER_ATTACK begins, riskWindowStart stays 0 until someone triggers _observePoolState(). An attacker can simply wait and let their own stake() call be that trigger — sealing riskWindowStart at their own entry time. The eager reset in _markRiskWindowStart then retroactively re-floors every existing staker to that same late timestamp, erasing all time-based differentiation.
Likelihood:
Occurs whenever UNDER_ATTACK begins and no one calls the permissionless pokeRiskWindow() before the attacker deposits — the default state unless someone pays gas purely to protect other stakers.
Requires only one unprivileged stake() call; no governance action, rewind, or race against another user needed.
Impact:
The k=2 penalty collapses to plain amount-weighting: early and late entrants score identically once the attacker seals the window at their own timestamp.
An attacker's payout is then bounded only by deposit size, not entry time. PoC shows an attacker depositing 2× an honest staker's stake receives 2× the bonus (40 vs 20 tokens) despite zero time at risk — a 50% cut to the honest staker's bonus versus the correct baseline (140 → 120).
The PoC below pairs a control run (window sealed honestly via an immediate pokeRiskWindow() call) against an exploit run (window left lazy, sealed instead by the attacker's own stake). Both use identical timing and stakes so the only variable is who/when the window is sealed — isolating the bug's effect on the payout split.
stake() is removed as a valid trigger for sealing riskWindowStart, so a depositor can never define their own entry baseline. Sealing now requires a separate pokeRiskWindow() call, which pays a small bounty from the bonus pool — incentivizing keepers or honest parties to seal the window the moment UNDER_ATTACK begins, before an attacker gets the chance to wait it out. This reduces the exploit's economic viability rather than eliminating it outright, since the registry still exposes no canonical historical transition timestamp for a fully deterministic fix.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.