Gentle Chocolate Eel
High
Missing _checkpointReward(deposit) in GovernanceStaker._stake() can lead to the reward State being Misaligned or Inconsistent
The bug arises from a misalignment of the reward state during the staking process, specifically in the _stake function. The issue occurs because the _stake function does not call _checkpointReward(deposit) to properly initialize the reward state for new deposits. As a result, when tokens are staked via _stake, the deposit's scaledUnclaimedRewardCheckpoint and rewardPerTokenCheckpoint are not set to the correct values, causing inconsistencies in reward calculations.
The Stake function allows users perform staking Operations. But unlike the _stakeMore function which adds more stake to an existing deposit., _checkpointReward(deposit); is not called. As a result, the reward state is incorrectly initialized for new deposits, creating a risk that rewards could be under-calculated.
In the _stake function, new deposits are created but the reward state is not updated (via _checkpointReward(deposit)). This means that the scaledUnclaimedRewardCheckpoint (which tracks the total unclaimed rewards for a deposit) and rewardPerTokenCheckpoint (which tracks the reward rate at the time of staking) are not synchronized with the global reward state.
Under calculation of rewards for users in their first deposit.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L558-L590
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L595-L600
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L759-L762
Manual Review
Add the _checkpointReward(deposit); to the stake function