Wonderful Pebble Sawfish
High
A surrogate owner acts as a bumper and passes the surrogate as _tipReceiver to increase their voting power through a portion of the deposit's unclaimed rewards.
A surrogate owner acts as a bumper and passes the DelegationSurrogate as _tipReceiver to increase their voting power through a portion of the deposit's unclaimed rewards. By utilizing this mechanism, the voting power of the delegatee can be boosted without staking additional tokens, leveraging unclaimed rewards as a source of unfair governance weight.
The owner of the DelegationSurrogate can call the bumpEarningPower function and pass the DelegationSurrogate address as the _tipReceiver. This action will send all unclaimed rewards to DelegationSurrogate and increase the voting power of the delegatee, Since the ARB token serves as both the stake token and the reward token in Protocol. This can be unfairly exploited by the surrogate owner to gain an unfair advantage in the voting process without any stake tokens.
function bumpEarningPower(
DepositIdentifier _depositId,
@> address _tipReceiver,
uint256 _requestedTip
) external virtual {
//...
// Send tip to the receiver
@>> SafeERC20.safeTransfer(REWARD_TOKEN, _tipReceiver, _requestedTip);
deposit.scaledUnclaimedRewardCheckpoint =
deposit.scaledUnclaimedRewardCheckpoint - (_requestedTip * SCALE_FACTOR);
}Anyone call bumpEarningPower because they claim a portion of deposit's unclaimed rewards, If surrogate owner call bumpEarningPower with _tipReceiver is the DelegationSurrogate this will send unclaimed rewards to the DelegationSurrogate with that action delegatee is increase governance voting weight. The surrogate owner repeats this process to continue amplifying voting power and gain significant governance power without staking additional tokens.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L471-L514
Manual Review
Separate staking and reward Tokens because this prevents the same token from being used to artificially boost voting power.