Before any claim, the moderator can re-flag the outcome freely. flagOutcome() allows re-flag when outcome != UNRESOLVED && claimsStarted == false (Pool:327). The moderator can initially flag CORRUPTED, goodFaith=true, attacker=whitehat — setting bountyEntitlement = snapshotTotalStaked + snapshotTotalBonus — then re-flag to CORRUPTED, goodFaith=false before the whitehat can claim. bountyEntitlement is zeroed (Pool:362), and claimAttackerBounty reverts at Pool:435 with InvalidGoodFaithParams.
The _firstGoodFaithCorruptedAt guard (Pool:364) only prevents deadline extension, not outcome re-flagging.
Likelihood: Low. Requires the moderator (DAO-trusted role) to act maliciously. The moderator can already cause far greater damage (e.g., flagging SURVIVED on a genuine breach).
Impact: Medium for whitehat trust. A promised bounty can be revoked with no on-chain recourse. This undermines the whitehat incentive model — the entire purpose of the good-faith CORRUPTED path is to reward security researchers.
Once a good-faith CORRUPTED flag is set with a named attacker, prevent re-flagging to a different CORRUPTED variant. Allow only SURVIVED as a re-flag target (or none at all). A simpler fix: set claimsStarted = true on any good-faith CORRUPTED flag, closing the re-flag window immediately.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.