Rich Smoke Cheetah
High
If the rewards are less than the maxBumpTip the the bumper can take absolutely all the rewards.
Here we can see that the tip that will be received in the bumpEarningPower must be less or equal to the minimum between the unclaimed fees and the maxBumpTip in the bumpEarningPower function.
uint256 _unclaimedRewards = deposit.scaledUnclaimedRewardCheckpoint / SCALE_FACTOR;
(uint256 _newEarningPower, bool _isQualifiedForBump) = earningPowerCalculator.getNewEarningPower(
deposit.balance, deposit.owner, deposit.delegatee, deposit.earningPower
);
if (!_isQualifiedForBump || _newEarningPower == deposit.earningPower) {
revert GovernanceStaker__Unqualified(_newEarningPower);
}
if (_newEarningPower > deposit.earningPower && _unclaimedRewards < _requestedTip) {
revert GovernanceStaker__InsufficientUnclaimedRewards();
}
// Note: underflow causes a revert if the requested tip is more than unclaimed rewards
if (_newEarningPower < deposit.earningPower && (_unclaimedRewards - _requestedTip) < maxBumpTip)
{
revert GovernanceStaker__InsufficientUnclaimedRewards();
}Otherwise, the call will revert because of an underflow or a custom error. But if the reward is less than the maxBumpTip and the user gain earning power then the bumper could request all his reward.
Bob is a depositor, and his earning power continuously increases. Alice is a malicious user who wants to steal all of Bob’s rewards. Alice calls bumpEarningPower every time Bob gains some rewards in order to continuously take all the rewards. As a result, Bob will never gain his rewards.
The Bumper will steal all the depositor's reward.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L483-L500
Manual Review
The tip should be a portion of the rewards and then becoming a constant in order to avoid this type of attack.