Ancient Denim Horse
Medium
GovernanceStaker.sol#bumpEarningPower() - Paused or stale oracle could be abused to farm bumping tips
The bumpEarningPower() function provides an incentivizing way of keeping depositors' earning power up to date by "tipping" the bumper a portion of the deposit's unclaimed reward as an incentive. It does so by first checking if there was a change in the delegatee's eligibility to determine if a bump occurs and a tip should be paid out, if there are sufficient rewards to do so.
A mechanism that opens room for exploit is the way oracle staleness and pause are handled during a failsafe when earning power becomes based only on the staked amount and thus turns eligible, allowing for getting tips for bumping previously ineligible delegatees when a failsafe starts and when it finishes.
Currently the delegatee's eligibility is based on a threshold and the score is updated by the designated oracle. Any address could technically be a delegatee, but the ones with most score would logically be community involved or to be involved addresses. Thus, the possibility of having a not-yet-qualified address be a delegatee to a number of deposits is not unlikely, their earning power will just become qualified later on. This means that during a failsafe, all deposits delegating to a not-yet-qualified delegatee will become eligible for the duration of the failsafe, technically allowing bumpers to earn 2 tips - when the failsafe starts and when the failsafe ends and the delegatee becomes ineligible due to score again. This technically creates a race condition for bumpers to earn tips during failsafe.
Bumpers earn tips not based on actual changes to the scores but due to edge-case contract and external state
Manual Review
Update the getNewEarningPower() function to return false as qualification boolean as the oracle's staleness/pausing should not be a subject for generating bumping tips out of unsuspecting user's rewards. A user should be aware that depositing into ineligible delegatee's could lead to them paying tips, but users do not control the oracle's state and should not be forced to pay when a failsafe occurs.