Hidden Tweed Elephant - Non-Deposit Owners will not be able to claim rewards.

[sherlock-admin4]

Hidden Tweed Elephant

High

Non-Deposit Owners will not be able to claim rewards.

Summary

As the GovernanceStaker.sol allows user to stake token by creating a deposit and user can select any claimer address who can claim the rewards for that deposit But there is no way for claimers who is not the owner of deposit to claim rewards.

Vulnerability Detail

When user creates Stake there is two function stake() one where the claimer will be the owner only and other is to specify separate claimer address so someone else can claim reward for that deposit.
And claimer can claim rewards anytime But when the claimer tries to claim reward by calling the function claimReward() there is a if statement :: It checks that msg.sender should be deposit.claimer and also the deposit.owner so when the claimer is not the owner it will revert the call and Hence other than the owner No other claimer is eligible to claimReward for this stake of deposit.

    if (deposit.claimer != msg.sender && deposit.owner != msg.sender) {
      revert GovernanceStaker__Unauthorized("not claimer or owner", msg.sender);
    }
    return _claimReward(_depositId, deposit, msg.sender);

Impact

Severity :: HIGH
Likelihood :: HIGH
Only deposit owners can claim rewards , None of the claimer who is not the owner of the deposit can claim rewards

Code Snippet

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L403-L413

Tool used

Manual Review

Recommendation

Remove the if statement and add a require statement

-    if (deposit.claimer != msg.sender && deposit.owner != msg.sender) {
-     revert GovernanceStaker__Unauthorized("not claimer or owner", msg.sender);
-    }
-   return _claimReward(_depositId, deposit, msg.sender);

+ require(deposit.claimer == msg.sender, "If the msg.sender is not claimer than revert")