Skip to content

Latest commit

 

History

History
31 lines (22 loc) · 2.09 KB

024.md

File metadata and controls

31 lines (22 loc) · 2.09 KB

Recumbent Orange Wallaby

Medium

Deposit owners exploit incentives, undermining third-party participation

Summary

The bumpEarningPower function is intended to reward third-party callers (bumpers) for triggering updates to a deposit's earning power when its conditions qualify for an update. However, due to unrestricted access, deposit owners or reward claimers can abuse this function to self-trigger updates at intervals of updateEligibilityDelay, effectively farming the tip incentive. This undermines the purpose of the incentive system, potentially leading to unfair distribution of rewards and discouragement of third-party participation.

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L471-L476

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/BinaryEligibilityOracleEarningPowerCalculator.sol#L154-L158

Vulnerability Detail

The key issue lies in the design of the bumpEarningPower function, which does not restrict the caller to non-owners or third parties. As a result:

  1. Mechanism Misuse: The owner or the reward claimer of a deposit can repeatedly call bumpEarningPower, claiming the incentive for themselves. This incentivizes self-dealing rather than leveraging third-party assistance.
  2. Functionality Redundancy: The bumpEarningPower function becomes effectively redundant for third parties, as they have no opportunity to earn the tip incentive due to owners monopolizing the calls.

Impact

  • Loss of Third-Party Participation: The incentive mechanism fails to attract third-party bumpers.
  • Potential Centralization of Rewards: Owners or claimants can monopolize the function, draining rewards at the expense of other participants.

Recommendation

Restrict Caller Access:

  • Add a condition to ensure the caller of bumpEarningPower is neither the owner nor the reward claimer of the deposit. For example:
if (msg.sender == deposit.owner || msg.sender == deposit.claimer) {
    revert GovernanceStaker__Unauthorized("Owner or claimer cannot bump", msg.sender);
}