Skip to content

Latest commit

 

History

History
67 lines (54 loc) · 2.84 KB

064.md

File metadata and controls

67 lines (54 loc) · 2.84 KB

High Licorice Jellyfish

High

Malicious Users Can Block Earning Power to keep the high reword

Summary

Users can Stop their earning power from being reduced by manipulating unclaimed rewards to block the bump mechanism. By front-running bump transactions in Ethereum and maintaining a specific unclaimed reward balance, users can keep reword accumulating with high earning powr .

Vulnerability Detail

The vulnerability arises because bumper tips are taken from the user's accumulatedrewards. When a user becomes ineligible and their earning power drops to 0,when the oracles change the earning power or admin set new calculator . can prevent this by manipulating their unclaimed reward balance.In GovernanceStaker.sol.a user could use the underflow to revert the function

 function bumpEarningPower(
    DepositIdentifier _depositId,
    address _tipReceiver,
    uint256 _requestedTip
  ) external virtual {

   // underflow causes a revert if the requested  tip is more than unclaimed rewards
    if (_newEarningPower < deposit.earningPower && @>>>(_unclaimedRewards - _requestedTip) < maxBumpTip)
    {
      revert GovernanceStaker__InsufficientUnclaimedRewards();
    }
//code .....
 }

Using this attack : User earning power: 1000 (should reduce to 0) Accumulated rewards: 100 Required bumper tip: 15

  1. User monitors mempool for bump attempts
  2. When a bump is detected, front-run with the claim.
  3. Claim most rewards, and leave less than the required tip.
function _claimReward(DepositIdentifier _depositId, Deposit storage deposit, address _claimer) {
    uint256 _reward = deposit.scaledUnclaimedRewardCheckpoint / SCALE_FACTOR;

    uint256 _payout = _reward - 10;  // Leave only 10 tokens
    
    deposit.scaledUnclaimedRewardCheckpoint = 
        deposit.scaledUnclaimedRewardCheckpoint - (_reward * SCALE_FACTOR);
}

-Bump transaction fails,

// underflow causes a revert if the requested  tip is more than unclaimed rewards
    if (_newEarningPower < deposit.earningPower && @>>>(_unclaimedRewards - _requestedTip) < maxBumpTip)
    {
      revert GovernanceStaker__InsufficientUnclaimedRewards();
    }

User keeps original high earning power, Continues earning at 1000 power instead of 0, the user could reapaet this prosses until the end of the reword duration .

Impact

Users maintain a high earning power indefinitely, Continue earning rewards at elevated rates even when ineligible,drain protocol rewards unfairly from legitimate users.

Code Snippet

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L471-L514 https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L710-L745

Tool used

Manual Review

Recommendation

For earning power decreases (when _newEarningPower < deposit.earningPower), remove the tip.