docs/DESIGN.md §4 promises the moderator can re-flag to "fix a typo'd outcome/attacker before any participant locks in the wrong distribution." This guarantee fails for a wrong attacker address: there is no delay between flagOutcome(CORRUPTED, goodFaith=true, attacker) and claimAttackerBounty(), so the named address can take the entire pool in the same block and latch claimsStarted, permanently foreclosing the correction.
flagOutcome immediately makes the whole pool the named address's entitlement (src/ConfidencePool.sol:362). claimAttackerBounty only checks the upper deadline bound — there is no minimum-wait gate:
Setting claimsStarted = true makes the moderator's corrective re-flag revert OutcomeAlreadySet (src/ConfidencePool.sol:327). A dead-address typo is self-correcting (nobody claims); only a live/adversarial address triggers the loss — the exact case the correction window is meant to defend.
Likelihood: Low — requires a moderator naming error and a live/adversarial named address.
Impact: High — the entire pool (all staker principal + bonus) is transferred to the wrong party, irreversibly.
test/poc/ManualReviewPoC.t.sol::testPoC_misNamedAttackerDrainsPoolAndForeclosesCorrection:
Result (forge test --match-test testPoC_misNamedAttacker -vvvv):
Add a mandatory delay between the good-faith flag and the first bounty claim, so the documented correction window is real. This keeps the 180-day claim window intact while giving the moderator time to correct a mistyped attacker before value moves.
(add error CorrectionWindowOpen(); to IConfidencePool).
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.