Skip to content

Latest commit

 

History

History
45 lines (23 loc) · 1.33 KB

046.md

File metadata and controls

45 lines (23 loc) · 1.33 KB

Helpful Walnut Meerkat

High

Attackers Can Call GovernanceStaker::bumpEarningPower and Extract All _unclaimedRewards

Summary

The bumpEarningPower function allows a bumper to update a deposit's earning power when a qualifying change in earning power is determined by the earning power calculator. To incentivize bumpers to trigger these updates, a portion of the deposit's _unclaimedRewards is sent to the bumper. However, this portion is not properly limited, allowing abuse.

Root Case

Relevant code snippets:

These restrictions are not correctly implemented, enabling cases such as:

  • _newEarningPower > deposit.earningPower && _unclaimedRewards === _requestedTip

  • _newEarningPower < deposit.earningPower && _requestedTip > maxBumpTip

This allows attackers to extract more tip than intended by the protocol.

Internal pre-conditions

A deposit qualifies as _isQualifiedForBump.

External pre-conditions

No response

Attack Path

No response

Impact

Users could lose a significant portion—or even all—of their unclaimed rewards.

Mitigation

Ensure that the tip must always be less than or equal to maxBumpTip.