The bonus distribution logic can give a meaningful bonus share to a staker who enters only after the agreement is already in the UNDER_ATTACK state.
A staker who enters after the active-risk phase has already started should not be treated as economically equivalent to stakers who were exposed before that phase. However, when the active-risk window starts and ends in the same timestamp, the bonus calculation falls back to amount-weighted distribution.
This allows a late UNDER_ATTACK staker to capture a meaningful part of the bonus and dilute earlier stakers.
The affected route is:
stake()
_assertDepositsAllowed()
_observePoolState()
_markRiskWindowStart()
_markRiskWindowEnd()
flagOutcome()
claimSurvived() / claimExpired()
_bonusShare()
Deposits are allowed during UNDER_ATTACK. If the late deposit is the interaction that first observes the active-risk state, riskWindowStart is recorded at the current timestamp. If the terminal state is then observed in the same timestamp, riskWindowEnd is recorded at the same timestamp.
This creates riskWindowStart == riskWindowEnd.
When this happens, the time-weighted bonus score becomes zero and _bonusShare() falls back to amount-weighted distribution. The late UNDER_ATTACK staker is then included in the same amount-weighted bonus cohort as earlier stakers.
Medium.
The issue requires a specific ordering where a stake is added during UNDER_ATTACK and the risk window resolves without measurable elapsed time. This path is reachable in the tested state sequence and does not require a non-standard ERC20 token, malicious token behavior, owner privilege, or direct contract modification.
High.
The affected value is the bonus pool allocated to stakers. A late entrant can receive a meaningful share of that bonus despite entering only after the active-risk phase is already active.
In the large-stake scenario, the late entrant captures almost the entire bonus pool, heavily diluting the earlier staker.
This breaks the intended risk/reward relationship between earlier exposed stakers and late active-risk entrants.
A Foundry test was added under:
test/internal_round3/Round3UnderAttackBonus.t.sol
Command:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.