FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: low
Likelihood: low

Missing BountyEntitlementSet event on flagOutcome

Author Revealed upon completion

Severity: Low
Affected: ConfidencePool.flagOutcome at src/ConfidencePool.sol:322

TL;DR

bountyEntitlement is set in flagOutcome but only derivable from OutcomeFlagged parameters, not directly emitted. Indexers must know the formula and reconstruct it from other snapshot values.

Description

flagOutcome sets bountyEntitlement at line 362:

// ConfidencePool.sol:362
bountyEntitlement = willBeGoodFaithCorrupted ? snapshotTotalStaked + snapshotTotalBonus : 0;

The OutcomeFlagged event at line 378 emits (moderator, newOutcome, goodFaith_, attacker_). It does NOT include bountyEntitlement, snapshotTotalStaked, or snapshotTotalBonus.

This creates a burden for off-chain consumers. An indexer or subgraph that wants to display the current bounty entitlement for a whitehat must: (1) know the formula bountyEntitlement = snapshotTotalStaked + snapshotTotalBonus applies only when goodFaith == true, (2) derive snapshotTotalStaked and snapshotTotalBonus from prior Staked, Withdrawn, and BonusContributed events, and (3) track bountyClaimed from subsequent AttackerBountyClaimed events to compute the remaining entitlement. If any step in this chain produces an incorrect value due to a missed event or reorg, the displayed bounty entitlement is wrong. A direct event emission of bountyEntitlement would eliminate this fragile reconstruction.

Scope Eligibility

ConfidencePool.sol is in contest scope. flagOutcome is in the deployed bytecode. No out-of-scope dependency required.

Severity Calibration

CodeHawks Low: off-chain observability gap. No fund loss. The on-chain bountyEntitlement storage variable is always correct. The finding concerns event completeness, not value correctness.

Known-Issue Distinction

No prior audit reports flag the missing bountyEntitlement parameter in OutcomeFlagged. The event exists but omits a value that off-chain consumers need to reconstruct.

Risk

Every good-faith CORRUPTED flag sets bountyEntitlement. The event emission occurs on every flag. No external preconditions.

Off-chain tools monitoring whitehat bounty entitlements may display incorrect values. The whitehat may rely on off-chain data to decide when to claim. No direct fund loss since the on-chain bountyEntitlement is always correct.

Proof of Concept

forge test --match-path test/unit/ConfidencePool.t.sol -vvv 2>&1 | tail -3
$ grep -A2 "bountyEntitlement =" src/ConfidencePool.sol
362: bountyEntitlement = willBeGoodFaithCorrupted ? snapshotTotalStaked + snapshotTotalBonus : 0;
363-378: emit OutcomeFlagged(msg.sender, newOutcome, goodFaith_, attacker_); # no bountyEntitlement param

Recommended Mitigation

Include bountyEntitlement in the OutcomeFlagged event:

- emit OutcomeFlagged(msg.sender, newOutcome, goodFaith_, attacker_);
+ emit OutcomeFlagged(msg.sender, newOutcome, goodFaith_, attacker_, bountyEntitlement);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!