FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: medium

sweepUnclaimedBonus can remove accounted bonus after a moderator SURVIVED flag while the outcome remains re-flaggable, underfunding a later good-faith CORRUPTED correction

Author Revealed upon completion

Root + Impact

Description

The moderator can re-flag an outcome until claimsStarted becomes true. This is meant to let the moderator correct an initial outcome before anyone relies on it through a claim.

sweepUnclaimedBonus() can move accounted bonus to recoveryAddress without setting claimsStarted. When riskWindowStart == 0, a moderator SURVIVED flag leaves the bonus unreserved, so the whole bonus can be swept even while the moderator can still correct the outcome. The sweep also reduces totalBonus.

If the moderator later corrects to good-faith CORRUPTED, the new bounty snapshot uses the reduced totalBonus. The named attacker receives less than the original pool balance, while the sponsor-controlled recoveryAddress has already received the bonus.

// src/ConfidencePool.sol
function flagOutcome(PoolStates.Outcome newOutcome, bool goodFaith_, address attacker_) external onlyModerator {
// @> Re-flagging is allowed until claimsStarted is true.
if (outcome != PoolStates.Outcome.UNRESOLVED && claimsStarted) revert OutcomeAlreadySet();
...
// @> The corrected outcome snapshots the current live accounting.
snapshotTotalStaked = totalEligibleStake;
snapshotTotalBonus = totalBonus;
...
bountyEntitlement = willBeGoodFaithCorrupted ? snapshotTotalStaked + snapshotTotalBonus : 0;
}
// src/ConfidencePool.sol
function sweepUnclaimedBonus() external nonReentrant {
if (outcome != PoolStates.Outcome.SURVIVED && outcome != PoolStates.Outcome.EXPIRED) {
revert OutcomeNotEligibleForSweep();
}
uint256 reserved;
if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
// @> With no observed risk window, the bonus is not reserved.
if (riskWindowStart != 0) {
reserved += snapshotTotalBonus - claimedBonus;
}
}
uint256 freeBalance = stakeToken.balanceOf(address(this));
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0;
if (amount == 0) revert NothingToSweep();
if (totalEligibleStake == 0 || riskWindowStart == 0) {
// @> Accounted bonus is removed before the correction.
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
// @> claimsStarted is not set, so the outcome remains correctable.
stakeToken.safeTransfer(recoveryAddress, amount);
}

Risk

Likelihood:

  • The moderator flags SURVIVED while no risk window was observed, or while no eligible stake remains.

  • The moderator corrects that SURVIVED outcome to good-faith CORRUPTED after sweepUnclaimedBonus() runs and before any claim sets claimsStarted.

Impact:

  • The named good-faith attacker receives a reduced bounty because swept bonus is excluded from the corrected snapshot.

  • Funds that should remain available during the correction window can be sent to the sponsor-controlled recoveryAddress.

Proof of Concept

test/unit/SweepUnclaimedBonus.t.sol:SweepUnclaimedBonusTest.testBonusSweepBeforeCorrectionReducesBountyPaidToAttacker

function testBonusSweepBeforeCorrectionReducesBountyPaidToAttacker() external {
address sponsor = makeAddr("sponsor");
pool.setRecoveryAddress(sponsor);
_stake(alice, 100 * ONE);
_contributeBonus(carol, 50 * ONE);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
assertEq(pool.riskWindowStart(), 0);
assertEq(pool.snapshotTotalStaked(), 100 * ONE);
assertEq(pool.snapshotTotalBonus(), 50 * ONE);
vm.prank(sponsor);
pool.sweepUnclaimedBonus();
assertFalse(pool.claimsStarted(), "sweep leaves correction window open");
assertEq(token.balanceOf(sponsor), 50 * ONE);
assertEq(token.balanceOf(address(pool)), 100 * ONE);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.snapshotTotalStaked(), 100 * ONE);
assertEq(pool.snapshotTotalBonus(), 0);
assertEq(pool.bountyEntitlement(), 100 * ONE);
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker), 100 * ONE);
assertEq(token.balanceOf(sponsor), 50 * ONE);
assertEq(token.balanceOf(address(pool)), 0);
}
// State:
// - totalEligibleStake = 100
// - totalBonus = 50
// - riskWindowStart = 0
// - registry state = CORRUPTED
//
// 1. Moderator flags SURVIVED, initially treating the breach as out of scope.
// snapshotTotalStaked = 100, snapshotTotalBonus = 50.
// 2. Sponsor or any caller calls sweepUnclaimedBonus().
// reserved = 100, amount = 50, totalBonus becomes 0, and 50 tokens go to recoveryAddress.
// claimsStarted remains false.
// 3. Moderator corrects to good-faith CORRUPTED and names the whitehat.
// bountyEntitlement = snapshotTotalStaked + snapshotTotalBonus = 100 + 0.
// 4. The whitehat cannot claim the 50 bonus tokens already swept to recoveryAddress.

Recommended Mitigation

Prevent accounted bonus from leaving while the outcome remains re-flaggable, or close the correction window when the sweep moves accounted value.

if (totalEligibleStake == 0 || riskWindowStart == 0) {
totalBonus -= amount <= totalBonus ? amount : totalBonus;
+ if (!claimsStarted) claimsStarted = true;
}

Another option is to separate donation-only sweeping from accounted-bonus sweeping. Only donation-only sweeps should leave claimsStarted unchanged.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!