Fierce Lace Squirrel
High
When function notifyRewardAmount() called, every user 's rewards increase by larging the variable scledRewarRate. And if someone didn't clarim their rewards, they will get extra rewards which makes contract lose rewards.
When new rewards enter into the contract(by GovernanceStaker::notifyRewardAmount()), variable scaledRewardRate increase according to the amount. When someone claim his rewards(by GovernanceStaker::_claimReward), the contract calls function _checkpointReward to get his rewards. And the function will call function _scaledUnclaimedReward, and the function _scaledUnclaimedReard will use function rewardPerTokenAccumulated() whick use variable scaledRewardRate. And now the scaledRewardRate is caculated by the rewards after new rewards enter the contract. The user will get more rewards which he should get and make contract lose money. Because the time before the new rewards enter into the contract, the scaledRewardRate should be less than use the new calculated variable scaledRewardRate.
Contract will lose rewards money.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L710-L718 https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L430-L461 https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L522-L525 https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L303-L308
Manual Review