Skip to content

Latest commit

 

History

History
42 lines (28 loc) · 2.3 KB

029.md

File metadata and controls

42 lines (28 loc) · 2.3 KB

Recumbent Orange Wallaby

Medium

Deposit owners can exploit stakeMore and withdraw to prevent incentives for Bumpers

Summary

The design of the bumpEarningPower function, which allows third-party bumpers to update the earning power of a Deposit and receive incentives, can be invalidated by the Deposit owner. The owner can exploit the stakeMore or withdraw functions with minimal amounts, disrupting the earning power update process and denying bumpers their intended incentives. This undermines the protocol's mechanism to encourage bumpers to call bumpEarningPower.

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L595-L606


Root Cause

The following issues allow Deposit owners to bypass the protocol's intent:

  1. No Minimum Amount for stakeMore or withdraw:

    • The stakeMore and withdraw functions do not enforce a minimum limit on the amount of tokens that can be staked or withdrawn.
    • As a result, the Deposit owner can call these functions with negligible amounts solely to trigger an earning power update.
  2. Frequent Calls During updateEligibilityDelay:

    • The updateEligibilityDelay in getNewEarningPower enforces a delay before earning power can be updated again.
    • The owner can reset this delay repeatedly by calling stakeMore or withdraw with minimal amounts, effectively blocking bumpers from calling bumpEarningPower during this period.

Impact

  1. Protocol Design Undermined:

    • The incentive mechanism for bumpers is rendered ineffective as owners block updates by exploiting small-value staking or withdrawals.
  2. Loss of Bumper Participation:

    • Without incentives, bumpers are unlikely to participate, weakening the protocol's ability to update earning power efficiently.
  3. Unfair Advantage for Deposit Owners:

    • Owners gain disproportionate control over the process, negating the intent of third-party interventions.

Mitigation

  1. Set Minimum Transaction Limits:

    • Introduce a minimum threshold for the amount of tokens that can be staked or withdrawn in stakeMore and withdraw.
  2. Restrict Frequency of Updates:

    • Enforce a cooldown period for the stakeMore and withdraw functions to prevent repeated calls within a short timeframe.