Rich Smoke Cheetah
Medium
Because the feeAmount to pay when a user claims fees is a constant, a user may wait to claim their rewards in order to pay fees only once and limit the total fees paid.
In the _claimReward function, the fees paid is a variable set by the admin and deducted from the reward claimable, as we can see here:
function _claimReward(DepositIdentifier _depositId, Deposit storage deposit, address _claimer)
internal
virtual
returns (uint256)
{
_checkpointGlobalReward();
_checkpointReward(deposit);
uint256 _reward = deposit.scaledUnclaimedRewardCheckpoint / SCALE_FACTOR;
// Intentionally reverts due to overflow if unclaimed rewards are less than fee.
uint256 _payout = _reward - claimFeeParameters.feeAmount;
if (_payout == 0) return 0;The problem is that the fee isn’t a portion of the rewards, meaning that whatever the rewards, the same fee will be paid, which is unfair for all stakers. Moreover, a user could be incentivized to avoid claiming their rewards multiple times in order to limit the fees paid.
Users could pay fewer fees by claiming their rewards only once, thereby limiting the fees paid, which would result in a loss for the protocol. Moreover the fees are unfair since everyone pay exactly the same fees.
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L710-L721
Foundry
The protocol should implement fees that adapt to the rewards received.