Recumbent Orange Wallaby
Medium
The bumpEarningPower
function is intended to reward third-party callers (bumpers) for triggering updates to a deposit's earning power when its conditions qualify for an update. However, due to unrestricted access, deposit owners or reward claimers can abuse this function to self-trigger updates at intervals of updateEligibilityDelay
, effectively farming the tip incentive. This undermines the purpose of the incentive system, potentially leading to unfair distribution of rewards and discouragement of third-party participation.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L471-L476
The key issue lies in the design of the bumpEarningPower
function, which does not restrict the caller to non-owners or third parties. As a result:
- Mechanism Misuse: The owner or the reward claimer of a deposit can repeatedly call
bumpEarningPower
, claiming the incentive for themselves. This incentivizes self-dealing rather than leveraging third-party assistance. - Functionality Redundancy: The
bumpEarningPower
function becomes effectively redundant for third parties, as they have no opportunity to earn the tip incentive due to owners monopolizing the calls.
- Loss of Third-Party Participation: The incentive mechanism fails to attract third-party bumpers.
- Potential Centralization of Rewards: Owners or claimants can monopolize the function, draining rewards at the expense of other participants.
Restrict Caller Access:
- Add a condition to ensure the caller of
bumpEarningPower
is neither the owner nor the reward claimer of the deposit. For example:
if (msg.sender == deposit.owner || msg.sender == deposit.claimer) {
revert GovernanceStaker__Unauthorized("Owner or claimer cannot bump", msg.sender);
}