FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: high
Likelihood: high

Bonus sweep before re-flag strips the good-faith corrupted bounty

Author Revealed upon completion

Summary

The protocol intentionally allows the moderator to correct an outcome before the first value-moving claim. In a good-faith CORRUPTED correction, the named attacker should receive a bounty equal to the snapshotted stake plus bonus. The bug is that sweepUnclaimedBonus() can move accounted bonus to recoveryAddress during that same correction window without setting claimsStarted.

This is a payout-integrity issue. When the first outcome is SURVIVED and riskWindowStart == 0, sweepUnclaimedBonus() treats the tracked bonus as sweepable, transfers it to recovery, and decrements totalBonus. The moderator can still re-flag to good-faith CORRUPTED afterward, but the new bounty snapshot excludes the swept bonus.

Affected Contract

File: src/ConfidencePool.sol

Lines: 322-379

Function/Type: flagOutcome(PoolStates.Outcome,bool,address)

File: src/ConfidencePool.sol

Lines: 432-453

Function/Type: claimAttackerBounty()

File: src/ConfidencePool.sol

Lines: 474-509

Function/Type: sweepUnclaimedBonus()

Vulnerability Details

flagOutcome() allows re-flagging as long as claimsStarted is false. This is meant to let the moderator correct an incorrect outcome before participants rely on it through a claim.

However, sweepUnclaimedBonus() can transfer real pool value without setting claimsStarted. In the no-risk-window case, the function reserves only outstanding principal and treats the entire bonus as free balance. It then decrements totalBonus and transfers the amount to recoveryAddress.

Because claimsStarted remains false, the moderator can still correct the outcome to good-faith CORRUPTED. During that correction, flagOutcome() snapshots the already-decremented totalBonus, so bountyEntitlement = snapshotTotalStaked + snapshotTotalBonus excludes the swept bonus. The whitehat receives principal only, while recovery keeps the bonus.

Root Cause

The root cause is that sweepUnclaimedBonus() performs value movement and accounting reduction without closing the re-flag correction window, allowing a later good-faith CORRUPTED snapshot to use the reduced bonus value.

// File: src/ConfidencePool.sol:474-509
function sweepUnclaimedBonus() external nonReentrant {
if (outcome != PoolStates.Outcome.SURVIVED && outcome != PoolStates.Outcome.EXPIRED) {
revert OutcomeNotEligibleForSweep();
}
uint256 reserved;
if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
if (riskWindowStart != 0) {
reserved += snapshotTotalBonus - claimedBonus;
}
}
uint256 freeBalance = stakeToken.balanceOf(address(this));
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0;
if (amount == 0) revert NothingToSweep();
if (totalEligibleStake == 0 || riskWindowStart == 0) {
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
stakeToken.safeTransfer(recoveryAddress, amount);
emit BonusSwept(msg.sender, recoveryAddress, amount);
}
// File: src/ConfidencePool.sol:322-362
function flagOutcome(PoolStates.Outcome newOutcome, bool goodFaith_, address attacker_) external onlyModerator {
if (outcome != PoolStates.Outcome.UNRESOLVED && claimsStarted) revert OutcomeAlreadySet();
IAttackRegistry.ContractState state = _observePoolState();
...
outcome = newOutcome;
goodFaith = goodFaith_;
attacker = attacker_;
snapshotTotalStaked = totalEligibleStake;
snapshotTotalBonus = totalBonus;
snapshotSumStakeTime = sumStakeTime;
snapshotSumStakeTimeSq = sumStakeTimeSq;
corruptedReserve = newOutcome == PoolStates.Outcome.CORRUPTED ? snapshotTotalStaked + snapshotTotalBonus : 0;
bountyEntitlement = willBeGoodFaithCorrupted ? snapshotTotalStaked + snapshotTotalBonus : 0;
...
}

Attack Vectors

Attack Vector 1: Sweep between incorrect flag and correction

Step 1 The registry is CORRUPTED, but no active-risk observation has set riskWindowStart.
Step 2 The moderator first flags SURVIVED and intends to correct it before any claim.
Step 3 Any caller invokes sweepUnclaimedBonus() while claimsStarted == false.
Result: The bonus is transferred to recoveryAddress, totalBonus is decremented, and the correction window remains open.

Attack Vector 2: Front-run moderator correction

Step 1 A SURVIVED flag is visible on-chain with riskWindowStart == 0.
Step 2 A moderator correction to good-faith CORRUPTED is expected or submitted.
Step 3 A caller submits sweepUnclaimedBonus() before the correction is finalized.
Step 4 The moderator correction still succeeds, but snapshots the reduced totalBonus.
Result: The whitehat bounty excludes the swept bonus and pays only the remaining principal.

Execution Flow

  • The pool holds staked principal and contributed bonus.

  • The registry is terminal CORRUPTED, but riskWindowStart remains zero.

  • The moderator flags SURVIVED.

  • claimsStarted remains false because no claim has occurred.

  • A caller executes sweepUnclaimedBonus().

  • The function reserves principal only, transfers the tracked bonus to recovery, and decrements totalBonus.

  • The moderator re-flags to good-faith CORRUPTED.

  • flagOutcome() snapshots the reduced totalBonus.

  • claimAttackerBounty() pays the attacker only snapshotTotalStaked + snapshotTotalBonus, excluding the swept bonus.

Impact

This is a Medium severity value-redirection issue. The named good-faith attacker can lose the entire bonus portion of the bounty even though the moderator correction is accepted. The recovery address keeps funds that should have been reserved for the whitehat under the corrected CORRUPTED outcome.

The attacker cost is only the gas cost to call a permissionless sweep during the correction window. The protocol impact is a broken final distribution: the correction mechanism remains open, but the economic state being corrected has already been changed by a sweep.

Validation steps

Standalone Validation

Framework used: Foundry / forge

Validation Test File

File 1: test/poc/ConfidencePoolReflagSweepPoC.t.sol

function testPoC_bonusSweepBeforeCorrectionStripsGoodFaithBounty() external {
_stake(alice, 100 * ONE);
_contributeBonus(carol, 50 * ONE);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
assertEq(pool.riskWindowStart(), 0);
assertFalse(pool.claimsStarted());
vm.expectEmit(true, true, false, true, address(pool));
emit IConfidencePool.BonusSwept(bob, recovery, 50 * ONE);
vm.prank(bob);
pool.sweepUnclaimedBonus();
assertFalse(pool.claimsStarted(), "sweep leaves correction window open");
assertEq(token.balanceOf(recovery), 50 * ONE, "bonus already diverted to recovery");
assertEq(pool.totalBonus(), 0, "tracked bonus removed before correction");
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.bountyEntitlement(), 100 * ONE, "bounty excludes swept bonus");
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker), 100 * ONE, "attacker receives principal only");
assertEq(token.balanceOf(recovery), 50 * ONE, "recovery keeps bonus");
}

How to Run

forge test --match-path test/poc/ConfidencePoolReflagSweepPoC.t.sol -vvv

Captured Test Output

Ran 1 test for test/poc/ConfidencePoolReflagSweepPoC.t.sol:ConfidencePoolReflagSweepPoC
[PASS] testPoC_bonusSweepBeforeCorrectionStripsGoodFaithBounty() (gas: 595180)
Suite result: ok. 1 passed; 0 failed; 0 skipped

Log-to-Impact Walkthrough

The passing PoC shows that sweepUnclaimedBonus() transfers 50 * ONE to recovery while claimsStarted remains false. The moderator then re-flags to good-faith CORRUPTED, but bountyEntitlement() is only 100 * ONE, proving the bonus was removed from the whitehat bounty.

Key Assertions Proven

assertFalse(pool.claimsStarted()) after the sweep -> proves the correction window remains open after value movement -> PASS
assertEq(pool.totalBonus(), 0) -> proves the tracked bonus is removed before the corrected snapshot -> PASS
assertEq(pool.bountyEntitlement(), 100 * ONE) -> proves the good-faith bounty excludes the swept 50 * ONE bonus -> PASS

Recommended Fix

Do not allow accounted bonus to be swept while the moderator correction window is still open. Either reserve totalBonus until a genuine claim closes the window, or make tracked-bonus sweeping close the correction window before value leaves the pool.

function sweepUnclaimedBonus() external nonReentrant {
if (outcome != PoolStates.Outcome.SURVIVED && outcome != PoolStates.Outcome.EXPIRED) {
revert OutcomeNotEligibleForSweep();
}
uint256 reserved;
if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
if (riskWindowStart != 0) {
reserved += snapshotTotalBonus - claimedBonus;
}
}
+ if (!claimsStarted && (totalEligibleStake == 0 || riskWindowStart == 0)) {
+ reserved += totalBonus;
+ }
uint256 freeBalance = stakeToken.balanceOf(address(this));
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!