The sponsor can front-run a CORRUPTED resolution with setRecoveryAddress(attackerControlled) and redirect the entire pool sweep to a scam address, leaving stakers with nothing.
setRecoveryAddress is an owner-only function that lets the sponsor designate a fallback address for unclaimed and CORRUPTED-path sweeps. Stakers inspect this address before depositing as a trust assumption.
setRecoveryAddress has no timing guard — it can be called at any point, including after the outcome is finalized, after claims have started, and between partial sweeps. In the CORRUPTED path, the sponsor can front-run the moderator's flagOutcome(CORRUPTED, ...) transaction, point recoveryAddress to a scam wallet, and have the entire pool swept there.
Likelihood:
A CORRUPTED registry transition becomes visible in the mempool and the moderator's flagOutcome transaction is pending — the sponsor front-runs it with setRecoveryAddress
The sponsor can also change recoveryAddress between partial sweeps under good-faith CORRUPTED to redirect residual funds
Impact:
Under bad-faith CORRUPTED, the entire pool (principal + bonus) is swept to the sponsor's scam address instead of the address stakers verified at deposit time
Under good-faith CORRUPTED, the post-bounty residual is redirected to the sponsor's new address
Run:
Alternatively, freeze at resolution time:
The first option preserves sponsor flexibility during pre-staking setup; the second is simpler but locks after first resolution.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.