The goodFaith attacker should be able to claim their entire bounty amount as long as they actively call claimAttackerBountyBut that is not the case if the stakeToken used in the pool is a debasing token.
When a pool contains a debasing token that decreases the contract balance below the snapshotted bountyEntitlement, the attacker's initial claim is capped by the current balance of the pool, leaving bountyClaimed < bountyEntitlement. once corruptedClaimDeadline passes, the contract permanently blocks the attacker from claiming the remaining balance by reverting with ClaimWindowExpired(), even if the pool balance later replenished (e.g via direct deposit or depositBonus function call). These remaining funds are instead swept to the recoveryAddress via sweepUnclaimedCorrupted.
Let's walk through your possible arguments and my response
Your argument: The protocol does not accept weird tokens, such as rebase tokens and others
My response: Yes you have a point but while the protocol stated that they don't allow weird tokens they explicitly left a comment inside the stake function that explains why they defensively program against such tokens despite the fact that they don't allow such tokens they still write the ConfidencePool.sol codebase to be bulletProof against such tokens because of their reasons as stated inside the stake function of the contract. shown below
As you can see, the programmer explicitly made it clear that they programmed the contract to be bullet-proofed against weird tokens in the case that their is a governace error that allowed such tokens or a proxy-token that was not initally weird when it was approved becomes weird later after upgrade of it's implementation contract.
So that makes your statement The protocol does not accept weird tokens, such as rebase tokens and others invalid and totally wrong.
The claimAttackerBounty function reverts as shown above from the point corruptedClaimDeadline pass which makes sense as that was how it was designed but the attacker is actively claiming and looking forward to claim the balance of the bounty amount as soon as the pool balance gets top-up but they couldn't because no top-up came until corruptedClaimDeadline passed and now the protocol punishes them, it is not their fault that no top-up arrived till after corruptedClaimDeadline
You may argue that yes that is completely fine there is nothing the protocol can do about it the claiming time has passed and that is it, the attacker should forget their balance which doesn't make sense but let's assume for a second that we accept that what about the state of the pool bountyClaimed and bountyEntitlement That isn't the same as when the attacker has claimed, and the corruptedClaimDeadline has passed?
Thats an inconsistency in the protocol state which is not supposed to happen, it is either the protocol open claim for the attacker till they are able to claim all their bountyEntitlement or they set bountyClaimed to bountyEntitlement once the attacker claim to signify that the attacker have successfully claimed their bounty regardles of wether the token balance debased or not
Likelihood:
This will happen when the attacker claim their bounty while the total balance of the pool is lesser than the snapShotted amount bountyEntitlement at the moment of resolution
Reason 2
Impact:
It will make the attacker lose out on some of their bountyEntitlement not because they are inactive, but because the token debase and no top-up happened till corruptedClaimDeadline passed. Meaning the protocol punished them for what is out of their control
Impact 2
Create a file named ConfidenceBountyDebaseVulnerability.t.test and paste the code below in it. then run the test with forge test --mt testBountyClaimedBlockDeadlineWhenDebased
You can either set bountyClaimed to be equal to bountyEntitlement once the attacker has claimed, regardless of whether the amount available in the pool is equal bountyEntitlement or not, which ensures that the attacker is not owed while declining his payment
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.