The protocol explicitly allows the moderator to call flagOutcome() multiple times before any claims begin so that mistakes (such as an incorrect attacker address) can be corrected. However, when correcting a good-faith corruption by updating the attacker address, the associated corruptedClaimDeadline is not recalculated.
If the moderator initially flags the wrong attacker, becomes inactive for an extended period, and later corrects the mistake, the intended attacker may receive only a shortened claim window—or no usable claim window at all—despite the protocol permitting re-flagging for this exact purpose.
The documentation in flagOutcome() states:
When a good-faith corruption is flagged, the contract initializes the claim window:
Notice that _firstGoodFaithCorruptedAt is only assigned once.
Subsequent calls to flagOutcome() reuse the original timestamp:
The comments also explicitly state:
This behavior creates an edge case where the intended purpose of re-flagging (correcting moderator mistakes) conflicts with the fixed claim window.
The moderator flags a good-faith corruption.
The moderator accidentally specifies the wrong attacker address.
The legitimate attacker cannot claim because they are not the recorded attacker.
The moderator becomes inactive for a significant period.
Before any claims occur, the moderator returns and corrects the attacker address using the permitted re-flag mechanism.
Since corruptedClaimDeadline is derived from the original timestamp, the deadline may have already expired or have very little time remaining.
The legitimate attacker may therefore lose the opportunity to claim the bounty, even though the incorrect address was successfully corrected.
This issue does not affect protocol funds or enable theft.
However, it can prevent the intended bounty recipient from exercising their claim due to an expired or substantially shortened claim window after a moderator correction.
As a result:
the re-flag mechanism may not fully achieve its documented purpose of correcting moderator mistakes,
a legitimate attacker could lose their bounty solely because the correction occurred after the original deadline had largely elapsed,
the effective claim period becomes dependent on moderator responsiveness following an initial typo.
If the protocol intends re-flagging to fully correct an incorrect attacker assignment, consider refreshing the claim window whenever the attacker address is modified before any claims have started.
Alternatively, if preserving the original deadline is an intentional design decision to prevent deadline extensions, this limitation should be explicitly documented so that moderators understand that correcting an attacker address does not provide the corrected recipient with a fresh claim window.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.