Helpful Walnut Meerkat
High
The bumpEarningPower
function allows a bumper to update a deposit's earning power when a qualifying change in earning power is determined by the earning power calculator. To incentivize bumpers to trigger these updates, a portion of the deposit's _unclaimedRewards
is sent to the bumper. However, this portion is not properly limited, allowing abuse.
Relevant code snippets:
-
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L492
-
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L497
These restrictions are not correctly implemented, enabling cases such as:
-
_newEarningPower > deposit.earningPower && _unclaimedRewards === _requestedTip
-
_newEarningPower < deposit.earningPower && _requestedTip > maxBumpTip
This allows attackers to extract more tip than intended by the protocol.
A deposit qualifies as _isQualifiedForBump
.
No response
No response
Users could lose a significant portion—or even all—of their unclaimed rewards.
Ensure that the tip
must always be less than or equal to maxBumpTip
.