The specification guarantees that a goodFaith_= true and CORRUPTED resolution pays the named whitehat the entire pool, principal and bonus, and explicitly states this holds even when riskWindowStart == 0.
See
docs/DESIGN.md§12: "the entire pool is the named attacker's bounty" (snapshotTotalStaked + snapshotTotalBonus), andprotocol-readme.md: CORRUPTED sweeps "the pool whole, bonus included."
sweepUnclaimedBonus() breaks that guarantee. It is callable while the outcome is still a re-flaggable moderator SURVIVED, it does not latch claimsStarted, and in the riskWindowStart == 0 branch it irreversibly transfers the entire bonus to recoveryAddress and zeroes totalBonus. When the moderator then corrects the outcome to good-faith CORRUPTED, flagOutcome re-snapshots snapshotTotalBonus == 0, so bountyEntitlement collapses to snapshotTotalStaked. The whitehat is paid principal only, the bonus they are entitled to is stranded at the sponsor-controlled recoveryAddress.
Because the sweep is permissionless and the sponsor owns recoveryAddress, the sponsor (or anyone acting in their interest) can front-run the moderator's SURVIVED → CORRUPTED correction, turning a legitimate outcome correction into an irreversible, self-profiting diversion of the whitehat's bounty.
The documentation states that good-faith CORRUPTED pays the whitehat the whole pool including the bonus:
docs/DESIGN.md §12 (CORRUPTED bounty mechanics):
"For good-faith CORRUPTED,
bountyEntitlementandcorruptedReserveare both set tosnapshotTotalStaked + snapshotTotalBonus.
sweepUnclaimedBonus() applies the "no observable risk → bonus to recoveryAddress" decision to a non-final outcome, and does so irreversibly:
A moderator SURVIVED flag does not set claimsStarted either, so between a SURVIVED flag and a CORRUPTED correction the bonus can be permanently removed. flagOutcome then re-snapshots the depleted totalBonus:
Note the contradiction with DESIGN.md §4, which justifies the finality latch by asserting *"once value has left the contract, a corrective re-flag cannot be honored without breaking balance accounting", yet sweepUnclaimedBonus lets value leave and keeps the re-flag window open, precisely the state §4 says should not exist.
Let's walk through an example to better understand the issue.
flagOutcome(SURVIVED, false, 0), claimsStarted stays false.
sweepUnclaimedBonus(), called by any address (in practice the sponsor, who owns recoveryAddress). riskWindowStart == 0 ⇒ the entire bonus is swept to recoveryAddress; totalBonus → 0; claimsStarted still false.
flagOutcome(CORRUPTED, true, whitehat), moderator corrects to goodFaith_= true and CORRUPTED (allowed, claimsStarted == false). Re-snapshot ⇒ snapshotTotalBonus == 0, bountyEntitlement == snapshotTotalStaked.
claimAttackerBounty(), whitehat receives snapshotTotalStaked (principal only). The bonus is gone.
Likelihood:
Medium likelihood because sweepUnclaimedBonus() is permissionless and can be called by anyone and reflagging can occur during normal operation.
Impact:
High impact because the whitehat loses part of the funds (the bonus) and contradicts the specification defined in DESIGN.md.
Run:
test/poc/SweepReflagBountyLeak.poc.t.sol:
Do not let sweepUnclaimedBonus() release the bonus while the outcome is still re-flaggable, only sweep the bonus once the outcome is final.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.