BreakInvariantBounty claim can be front-runned by owner

[frangio]

BreakInvariantBounty allows to place a bounty that can be claimed automatically if a set of invariants is broken. The Bounty contract can be destroyed by the owner to recover the money once it makes no more sense to have a bounty up for this contract. This functionality can be abused by the owner to front-run the claim by the researcher once the information for the hack has already been revealed in the blockchain.

A possible fix is to create the bounty with a deadline, after which the bounty is returned to the bounty "sponsor". This gives the researcher security that they will be able to claim the bounty. There is still the problem of being front-runned by other researchers though.

[nventuro]

There is still the problem of being front-runned by other researchers though.

Any ideas on this front?

[nventuro]

While considering fixes, we should keep this comment in mind. (#1356)

[nventuro]

BreakInvariantBounty was removed in #1424 until this issue is solved.

[nventuro]

Closing since BreakInvariantBounty is not part of OpenZeppelin anymore.