• Stakers deposit into a Confidence Pool after inspecting on-chain parameters, including recoveryAddress, which is the destination for bad-faith CORRUPTED full-pool sweeps and post-window CORRUPTED remainder sweeps. The protocol already treats deposit-time reliance as security-critical for expiry: the first successful stake sets expiryLocked = true, so the sponsor cannot move the deadline after capital is committed.
• setRecoveryAddress has no equivalent protection. It remains callable by the pool owner for the entire pool lifetime—after stakes, after risk locks withdrawals, and even after a CORRUPTED flag. A sponsor who is malicious or compromised can repoint recovery to an address stakers never accepted, then capture 100% of principal + bonus on bad-faith CORRUPTED (or residual funds on the good-faith path). This breaks the on-chain parameter set that stakers underwrote and is strictly weaker than the immutability model already applied to expiry.
Likelihood:
A pool sponsor becomes malicious or key-compromised after deposits have begun, and later a CORRUPTED outcome is finalized via bad-faith flagOutcome or via auto-CORRUPTED after the moderator grace window.
• A single setRecoveryAddress transaction after the first stake is sufficient. Once the registry has been observed in an active-risk state, withdraw is permanently disabled, so stakers cannot exit before the redirected CORRUPTED sweep.
Impact:
On bad-faith CORRUPTED, 100% of staker principal and bonus is transferred to a recovery address that can differ from the address stakers verified at deposit time.
• On good-faith CORRUPTED, the named attacker bounty is snapshot-capped, but residual balance, post-deadline sweepUnclaimedCorrupted funds, and post-resolution donations still follow the live recoveryAddress, which the sponsor can repoint after the flag.
Alice and Carol deposit while recoveryAddress is still the original, advertised recovery address.
The pool owner (sponsor) calls setRecoveryAddress(evilRecovery) after those deposits no staker consent required.
The registry is moved through active risk into CORRUPTED, and the moderator flags bad-faith CORRUPTED.
claimCorrupted sweeps the entire pool balance (stake + bonus = 150e18) to evilRecovery.
The original recovery address receives zero, demonstrating that deposit-time verification of recoveryAddress is not binding.
Why the steps matter
• Step 1 establishes staker reliance on the initial recovery parameter (the same diligence stakers are told to perform for on-chain pool config).
• Step 2 is the root cause in action: setRecoveryAddress is unrestricted after stake, unlike setExpiry.
• Steps 3-4 show the fund path that actually moves principal: bad-faith CORRUPTED → claimCorrupted → safeTransfer(recoveryAddress, ...).
• Step 5 makes the impact measurable: full economic loss relative to the address stakers thought would receive CORRUPTED recovery.
Goal: Make recoveryAddress as sticky as expiry once any staker has committed capital, so deposit-time verification remains valid through CORRUPTED resolution.
Approach: Introduce a one-way recoveryLocked flag set on the first successful stake, and gate setRecoveryAddress on that flag (mirror expiryLocked). This preserves sponsor freedom to set recovery at create time / pre-stake, while preventing post-deposit rugs of the CORRUPTED destination.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.