Hidden Tweed Elephant - Staker can himself call the bumpEarningPower as a bumper and earn incentive on his own deposit.
#80
Labels
Won't Fix
The sponsor confirmed this issue will not be fixed
Comments
sherlock-admin3
added
the
Won't Fix
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hidden Tweed Elephant
High
Staker can himself call the
bumpEarningPoweras abumperand earn incentive on his own deposit.Summary
In
GovernanceStaker.solbumper can callfunction bumpEarningPower()to update deposit's earning power and they can earn incentives for performing this activity .So the deposit.owner himself will call this function and can claim incentives for his own stake which should not be allowed.Vulnerability Detail
When the deposit is eligible to update it's earningPower bumper can call the
function bumpEarningPower()to update it But there is no check thatmsg.senderis the deposit.owner or not which allows anyone to call this function So the owner of that deposit is also eligible to call this function and He can earn incentives on his own deposit which should not be accepted otherwise every staker will call this function himself and can take the incentives by his own.This way the user will not have to give any tip or incentive to someone else from the unclaimed Reward Because he himself will earn that incentive from the unclaimedReward for his own deposit.
Impact
Severity :: HIGH
Likelihood :: HIGH
Bumpers will not able to earn incentive as staker himself only will call this function.
Code Snippet
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L463-L514
Tool used
Manual Review
Recommendation
Try adding checks in the function which will not allow deposit.owner to call this function
+ if(msg.sender == deposit.owner) { revert NotAllowedToCall(); }The text was updated successfully, but these errors were encountered: