Description
The protocol calculates a deterministic 180-day claim window (CORRUPTED_CLAIM_WINDOW) starting from the time a good-faith corrupted status is flagged, giving designated attackers an active period to claim their bounty rewards.
An unsafe explicit downcast from uint256 to uint32 is performed when calculating corruptedClaimDeadline. If the computed timestamp sum exceeds the maximum storage capacity of a uint32 variable, the value silently truncates and wraps around to an early historical timestamp instead of throwing an overflow panic.
The protocol is designed to calculate a deterministic 180-day grace period starting from the timestamp a good-faith status is flagged, ensuring that designated bounty claimants have an active window to withdraw their rewards. Under normal conditions, the calculated deadline timestamp should cleanly store in the state and accurately validate future claims against the current block time.
An explicit downcast from uint256 to uint32 is performed when calculating corruptedClaimDeadline without validating the maximum size limits of the destination type. If the mathematical sum of the initial timestamp and the grace period exceeds type(uint32).max, the value silently truncates and wraps around to an early historical integer, causing the claim window to instantly expire and permanently locking the associated bounty rewards.
Likelihood: Low
Reason 1: Deployment and operation of the protocol late in the Unix uint32 timeline (approaching February 2106) forces the mathematical sum of the timestamps to exceed 4,294,967,295.
Reason 2: Explicit downcasting from uint256 to uint32 deliberately bypasses standard Solidity 0.8.x overflow panic checks, allowing truncation to occur silently without triggering an automatic transaction revert.
Impact: High
Impact 1: Complete denial of service for legitimate claimants attempting to call claimAttackerBounty due to immediate truncation-driven expiration checks.
Impact 2: Irrecoverable locking of designated bounty rewards within the pool instance state, violating the structural economic distribution rules of the protocol.
The following minimal test illustrates the mathematical truncation flow showing how the corruptedClaimDeadline calculated variable wraps around to the past when operating near the boundary constraints:
Validate the upper bounds of the summation parameters using standard uint256 storage precision types prior to implementing the typecast sequence:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.