No stranded funds. No drain path.

Winners call withdraw() to claim. Seed dividend recipients call withdrawSeedDividend(). Refunders call refundMyClaim(). The contract never iterates external payouts. Zero DoS surface.

If the keeper fails to settle within Ethereum's 256-block blockhash window (~50min), anyone can call reroll(roundId). New reveal block, new target, small bounty to the caller.

The caller cannot influence the target. The bounty is bounded. The attack surface is zero. The only way a round CAN'T settle is if Ethereum itself halts.

Normal refund (instant): if 24h passes during seed phase without crossing the 3Ξ threshold, the round auto-enters refund state. Every claimer calls refundMyClaim() immediately. No waiting. This is the path 99% of failure modes take.

Emergency refund (90-day delay, last resort): if a round is genuinely stuck due to some unforeseen state, the owner can call emergencyResolveStuckRound() to flip it to refund-eligible. Effect: each claimer then pulls their ETH. Even here, owner CANNOT drain:

• Owner has no recipient parameter.
• Owner cannot specify amounts.
• Function only enables per-claimer refunds.
• Strict requirement: round ≥ 90 days old AND unsettled.
• Path is removed entirely by freezeAdmin().

Contract ships with three admin functions: pause, unpause, emergencyResolveStuckRound. Founder runs BurnBomb #001 end-to-end to validate every state transition in production.

Founder then calls freezeAdmin() · a one-way function that permanently disables all three admin paths.

From that block forward, the contract is fully autonomous. No upgrades. No pause. No emergency recovery. No keys. No owner. No intervention possible from anyone, ever.

Even during round #001, the pause mechanism is limited:

• Owner can pause claim() if a critical bug is discovered.
• Existing rounds keep settling. Refund still works.
• Withdraw still works. Re-roll still works.
• Owner can never pause your money flowing back to you.

Every external payable function uses OpenZeppelin's ReentrancyGuard. Internal state updates happen BEFORE external calls (checks-effects-interactions). External ETH transfers via call with explicit gas limits.

Settle iterates at most 1,000 slots (~200k gas warm cache). No unbounded loops anywhere in the contract. Refund is pull-based, so no iteration risk on payout.

No single address can claim more than 50 slots per round. Single-wallet sybil-free carpet-bombing is bounded. Real attacks require multi-wallet coordination with real gas overhead.

Rounding dust: percentage splits (73 / 7 / 4 / 10 / 5 / 1) can truncate by a few wei per slice in integer math. The contract handles this by computing the winner share as pot - (allOtherSlices). Every wei in the pot leaves the contract during settle. No accumulating dust.

Direct ETH sends are rejected. The contract's receive() function reverts. Any ETH arriving outside of claim() is refused at the EVM level. Prevents arbitrary funds from getting stranded after freezeAdmin().