Competitive Audits
First Flights
Leaderboard
Docs
Toggle theme
Sign up
Log in
All Contests
BattleChain Confidence Pools
Submissions
Public
BattleChain Confidence Pools
Cyfrin
Foundry
Solidity
Layer 2
7.25
ETH
Public
7.25
ETH
Jul 9th, 2026 → Jul 16th, 2026
View repo
971 / 971
Submissions
Severity
Tags
#1
Large accepted stake overflows k=2 bonus accounting and locks claims
Low
#2
Late `UNDER_ATTACK` whale captures bonus via `globalScore == 0` amount-weighted fallback
Low
#3
Claim-time overflow in `_bonusShare()` can permanently lock valid high-magnitude pools.
Low
#4
sweepUnclaimedBonus() does not latch finality, so a post-sweep moderator correction to good-faith CORRUPTED re-snapshots a depleted totalBonus and shorts the named whitehat attacker the entire bonus
Low
#5
Dust-Claim Griefing: Any Staker Can Permanently Lock the Moderator's Re-Flag Window
Medium
#6
ConfidencePool::sweepUnclaimedBonus moves real bonus without finalizing the outcome, so a pre-correction sweep permanently misdirects the whitehat's bounty
Medium
#7
_assertDepositsAllowed() missing riskWindowEnd latch allows stake() and contributeBonus() after terminal state during DAO rewind, enabling quadratic bonus theft
Medium
#8
Scope lock can be rolled back through reverting ATTACK_REQUESTED observations, allowing post-stake scope mutation
Medium
#9
`_replaceScope()` missing local `address(0)` guard allows zero address into pool scope when upstream agreement is misconfigured
Medium
#10
Unbounded `_replaceScope` loop causes permanent OOG DoS for scopes exceeding ~640 accounts — blocking pool creation and scope updates for mid-to-large protocols
Medium
#11
Open re-flag window still allows full bonus sweep, permanently stripping a later good-faith CORRUPTED bounty
High
#12
`createPool()` does not verify live registry state, allowing pool deployment for already-terminal agreements that permanently block staking
Low
#13
Centralization risk — factory `pause()` is single-admin-key controlled, allowing instant censorship of new pool creation with no time-lock or multisig
Low
#14
Locked stakers lose their entire bonus to the sponsor when the risk window is never observed on-chain
Low
#15
contributeBonus commits non-refundable value but does not lock expiry, unlike stake
Low
#16
Post-expiry pokeRiskWindow() can make an expired pool auto-resolve as CORRUPTED
Medium
#17
Post-expiry pokeRiskWindow() seals riskWindowStart from an out-of-term observation, letting the auto-CORRUPTED backstop sweep never-at-risk stakers' principal and misdirect the bonus
Low
#18
Scope stays mutable after a staker deposits during pre-attack staging, letting the sponsor repoint insured coverage out from under existing stakers (DESIGN §8 "bounded at deposit time" is actually "at lock time")
Low
#19
Recovery address remains mutable after withdrawals are disabled, allowing sponsor to redirect corrupted-resolution funds after stakers are locked
Medium
#20
Late UNDER_ATTACK staker can join the pre-seal cohort and capture bonus from earlier risk-bearers
Low
#21
Permanent reduction of Attacker Bounty due to `sweepUnclaimedBonus` during the re-flag window
Medium
#22
k=2 time-weighted bonus silently degrades to amount-weighting on a zero-duration risk window, letting a late large staker capture the bonus earned by time-at-risk
Low
#23
Permissionless `claimExpired` allows frontrunning the Moderator to lock Bad-Faith outcome
Medium
#24
Re-flagging good-faith CORRUPTED after a round-trip anchors the claim deadline in the past, permanently time-barring the legitimately-named whitehat and routing the whole pool to recoveryAddress
Low
#25
Bonus pool Denial of Service (DoS) via massive contribution during `UNDER_ATTACK`
Medium
#26
Inconsistent/Fake Safe Harbor Registry can be supplied during Clone Initialization
Medium
#27
`globalScore` precision amplification leading to reward manipulation
Medium
#28
State modification during loop execution in `_replaceScope` violates Checks-Effects-Interactions
Medium
#29
Post-expiry CORRUPTED state can retroactively forfeit an already expired pool
Medium
#30
SURVIVED/EXPIRED reserves a non-claiming staker's principal and bonus indefinitely with no time-bounded sweep, unlike the 180-day CORRUPTED path
Low
Previous
1
2
3
...
More pages
33
Next
Support
FAQs
Can't find an answer? Chat with us on Discord, Twitter or Linkedin.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
How do I get rewarded?
What is a First Flight?
Give us feedback!