Hidden Tweed Elephant
High
In GovernanceStaker.sol bumper can call function bumpEarningPower() to update deposit's earning power and they can earn incentives for performing this activity .So the deposit.owner himself will call this function and can claim incentives for his own stake which should not be allowed.
When the deposit is eligible to update it's earningPower bumper can call the function bumpEarningPower() to update it But there is no check that msg.sender is the deposit.owner or not which allows anyone to call this function So the owner of that deposit is also eligible to call this function and He can earn incentives on his own deposit which should not be accepted otherwise every staker will call this function himself and can take the incentives by his own.
This way the user will not have to give any tip or incentive to someone else from the unclaimed Reward Because he himself will earn that incentive from the unclaimedReward for his own deposit.
Severity :: HIGH Likelihood :: HIGH Bumpers will not able to earn incentive as staker himself only will call this function.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L463-L514
Manual Review
Try adding checks in the function which will not allow deposit.owner to call this function
+ if(msg.sender == deposit.owner) {
revert NotAllowedToCall();
}