The ConfidencePool design fundamentally assumes pools are created during a pre-attack staging phase (NOT_DEPLOYED or NEW_DEPLOYMENT). This allows stakers a period to safely deposit funds, review the scope, and freely withdraw before any risk materializes.
The ConfidencePoolFactory.createPool() function validates registration (isAgreementValid(agreement)) but fails to verify the agreement's live state. This allows a Sponsor to deploy a pool for an agreement that is already in an active-risk state (UNDER_ATTACK or ATTACK_REQUESTED).
While the contract's documentation explicitly accepts that late deposits into an already UNDER_ATTACK pool will "self-lock" (this is intended behavior for existing pools), deploying a fresh pool in this state breaks the overarching assumption that newly created pools begin in a safe staging phase. It allows a bad-faith Sponsor to create a deceptive pool listing that has no legitimate staging window and no true economic purpose.
Likelihood: Medium
An agreement can enter ATTACK_REQUESTED entirely via a self-service action by the Sponsor (no DAO approval needed), meaning they can unilaterally trigger this condition right before deploying the pool.
To trigger the UNDER_ATTACK condition, the Sponsor simply deploys the pool immediately after a DAO approveAttack transaction lands on-chain.
Impact: Medium
Deceptive Pool Listings & Assumption Mismatch: Any off-chain tooling, listing UI, or staker heuristic that treats a "newly created pool" as shorthand for "still in safe staging phase" is silently violated.
Stakers depositing into this pool are immediately subject to the documented UNDER_ATTACK self-lock. Their withdraw() is permanently disabled on their first interaction.
Perverse Bonus Weighting: Because the trapped staker's deposit is the first interaction that observes the active risk state, it sets riskWindowStart to the exact block timestamp of their entry. Since entryTime == riskWindowStart, the k=2 bonus formula treats them as if they had been carrying risk from the very beginning of the window, granting them the maximum possible bonus weighting.
While not a novel fund-safety bug (stakers could have checked the public registry state), it breaks a core product-integrity assumption and creates a deceptive surface where the pool's economic purpose (accepting capital before risk exists) never applies.
Add an explicit check to the Factory to ensure the agreement is in a valid staging state before deploying the pool. This enforces the staging-phase invariant the pool design assumes at creation time, preventing deceptive/no-op pool listings, while also preventing gas-waste for terminal states.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.