Noisy Pineapple Wasp
Medium
There is no slippage protection for staking operations, which may result in users being unable to accumulate rewards.
When a user stakes, they can select a delegatee contract and then start accumulating rewards by transferring tokens to that contract, as long as the delegatee is eligible (_isDelegateeEligible(delegatee) = true). However, when a user stakes, the delegatee may suddenly become unqualified, such as due to the score update from the orcale or a change to the threshold(delegateeEligibilityThresholdScore). This will cause the user's EarningPower to be 0, which means losing the ability to accumulate rewards.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L558-L571
function _stake(address _depositor, uint256 _amount, address _delegatee, address _claimer)
internal
virtual
returns (DepositIdentifier _depositId)
{
_revertIfAddressZero(_delegatee);
_revertIfAddressZero(_claimer);
_checkpointGlobalReward();
DelegationSurrogate _surrogate = _fetchOrDeploySurrogate(_delegatee);
_depositId = _useDepositId();
uint256 _earningPower = earningPowerCalculator.getEarningPower(_amount, _depositor, _delegatee);There is no doubt that users are motivated to obtain rewards through staking. However, when staking, users will not be able to accrue rewards due to the delegatee being disqualified (e.g., its score is below the threshold).
Users are unable to accrue rewards.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L558-L571
Manual Review
Add a slippage protection variable withEarningPower. If the user wants to get EarningPower when staking, it can be set to 1. Otherwise, if the user does not care, it can be set to 0.
When withEarningPower=1, check whether the delegatee is qualified. If not, revert the TX.