The setRecoveryAddress() function has no restrictions on when it can be called relative to the pool's outcome. An owner can flag CORRUPTED, change the recovery address to their own, and sweep all funds to themselves.
ConfidencePool.sol:611-617 allows the owner to change recoveryAddress at any time with only onlyOwner access control:
The function lacks:
whenPoolNotPaused modifier (unlike claim functions)
Outcome state check (can be called after CORRUPTED flagging)
Time lock (instant effect)
The owner can:
Call flagOutcome(CORRUPTED, ...) — pool enters CORRUPTED state
Call setRecoveryAddress(ownerAddress) — redirect recovery to themselves
Call claimCorrupted() — entire pool swept to owner
Optional: change recovery address back to cover tracks
The designated recovery entity receives nothing, and the owner captures the full pool.
Lock recoveryAddress after the first outcome flagging:
Or add a time-lock delay for recovery address changes after flagging.
ConfidencePool.sol:611 — setRecoveryAddress
ConfidencePool.sol:408 — claimCorrupted (uses recoveryAddress)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.