expiry may be set up to type(uint32).max. The good-faith claim deadline is computed then cast back to uint32; when flagged within 180 days of the ceiling the cast wraps to a past value, so claimAttackerBounty reverts ClaimWindowExpired and the bounty is forfeited.
src/ConfidencePool.sol:364-372:
The uint256 sum is truncated by the uint32(...) cast. If now + 180 days > type(uint32).max, the stored deadline is a small past timestamp, and the named attacker can never claim.
Likelihood: Low — requires expiry near type(uint32).max and a good-faith flag within 180 days of it (~2105–2106).
Impact: High (in that regime) — a valid whitehat bounty becomes permanently unclaimable and the pool sweeps to recoveryAddress instead.
test/poc/ManualReviewPoC.t.sol::testPoC_deadlineUint32TruncationForfeitsBounty:
Result (-vv):
4309552000 overflows type(uint32).max (4294967295) and truncates to 14584704.
Reject the overflowing flag before the cast (the addition promotes to uint256, so the compare is safe), or store the two timestamps as uint256.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.