Hidden Tweed Elephant
High
As the GovernanceStaker.sol allows user to stake token by creating a deposit and user can select any claimer address who can claim the rewards for that deposit But there is no way for claimers who is not the owner of deposit to claim rewards.
When user creates Stake there is two function stake() one where the claimer will be the owner only and other is to specify separate claimer address so someone else can claim reward for that deposit.
And claimer can claim rewards anytime But when the claimer tries to claim reward by calling the function claimReward() there is a if statement :: It checks that msg.sender should be deposit.claimer and also the deposit.owner so when the claimer is not the owner it will revert the call and Hence other than the owner No other claimer is eligible to claimReward for this stake of deposit.
if (deposit.claimer != msg.sender && deposit.owner != msg.sender) {
revert GovernanceStaker__Unauthorized("not claimer or owner", msg.sender);
}
return _claimReward(_depositId, deposit, msg.sender);Severity :: HIGH Likelihood :: HIGH Only deposit owners can claim rewards , None of the claimer who is not the owner of the deposit can claim rewards
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L403-L413
Manual Review
Remove the if statement and add a require statement
- if (deposit.claimer != msg.sender && deposit.owner != msg.sender) {
- revert GovernanceStaker__Unauthorized("not claimer or owner", msg.sender);
- }
- return _claimReward(_depositId, deposit, msg.sender);
+ require(deposit.claimer == msg.sender, "If the msg.sender is not claimer than revert")