Confidence Pools are intended to let stakers underwrite an agreement until the pool's immutable
expiry. After expiry, anyone may call claimExpired() to resolve the pool. A known
CORRUPTED agreement is held for MODERATOR_CORRUPTED_GRACE so the outcome moderator can make
the scope-aware and good-faith determination before the permissionless fallback is available.
claimExpired() measures that entire grace period from the pool's expiry, rather than from the
time at which the agreement became CORRUPTED. Therefore, a pool that remains unresolved until
expiry + MODERATOR_CORRUPTED_GRACE can receive a brand-new CORRUPTED state and be immediately
resolved as bad-faith CORRUPTED. The pool neither records nor queries a corruption timestamp, so
it cannot distinguish a breach during the covered term from one that occurred after the term.
Likelihood:
Pools remain unresolved after expiry because claiming is optional and neither
claimExpired() nor the staker claim paths impose a deadline on stakers.
An agreement can remain in UNDER_ATTACK through expiry + MODERATOR_CORRUPTED_GRACE, then
transition to CORRUPTED. A permissionless pokeRiskWindow() at that point records
riskWindowStart = expiry, and the first claimExpired() call immediately takes the
auto-CORRUPTED branch.
Impact:
A corruption occurring outside the coverage term retroactively changes an expired pool into
bad-faith CORRUPTED; every unclaimed staker principal and the bonus become sweepable to
recoveryAddress.
claimsStarted is set during the mechanical resolution, preventing the outcome moderator from
subsequently selecting SURVIVED for an out-of-scope incident or assigning a good-faith bounty.
Add the following test to a test contract inheriting BaseConfidencePoolTest:
The repository PoC is available at
test/audit/ExpiryCorruptedAndK2Boundary.t.sol.
It passes with:
The authoritative registry should expose an immutable corruptedAt timestamp. The pool must
only apply its corruption path to incidents that occurred no later than the pool's coverage
deadline; a post-expiry incident must not alter the expired pool's result.
Without a trustworthy upstream incident timestamp, the pool cannot reliably distinguish a
pre-expiry breach reported late from a genuine post-expiry breach. In that case, a scope-blind,
permissionless auto-CORRUPTED fallback should not finalize a terminal state first observed after
expiry; moderator-mediated settlement is required.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.