Skip to content

Latest commit

 

History

History
39 lines (28 loc) · 1.26 KB

026.md

File metadata and controls

39 lines (28 loc) · 1.26 KB

Nice Burgundy Gerbil

Medium

Earning Power is not updated when rewards to claim is zero

Summary

Earning Power is not updated when rewards to claim is zero

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L710-L721

Vulnerability Detail

Protocol attempts to update earning power on every user state changing calls, but fails to update the earning Power when Reward. is zero, this permits the user to keep accumulating rewards with previous earning power. Also, while there is an option for it to be updated by an third party, available reward is the incentive and user does not have.

Impact

Rewards accumulation with old earning power

Code Snippet

 function _claimReward(DepositIdentifier _depositId, Deposit storage deposit, address _claimer)
    internal
    virtual
    returns (uint256)
  {
    _checkpointGlobalReward();
    _checkpointReward(deposit);

    uint256 _reward = deposit.scaledUnclaimedRewardCheckpoint / SCALE_FACTOR;
    // Intentionally reverts due to overflow if unclaimed rewards are less than fee.
    uint256 _payout = _reward - claimFeeParameters.feeAmount;
    if (_payout == 0) return 0;

Tool used

Manual Review

Recommendation

Update earning pwer even where zero reward is available.