Rich Smoke Cheetah - A malicious user can pay less fees when he claim rewards

[sherlock-admin4]

Rich Smoke Cheetah

Medium

A malicious user can pay less fees when he claim rewards

Summary

Because the feeAmount to pay when a user claims fees is a constant, a user may wait to claim their rewards in order to pay fees only once and limit the total fees paid.

Vulnerability Detail

In the _claimReward function, the fees paid is a variable set by the admin and deducted from the reward claimable, as we can see here:

 function _claimReward(DepositIdentifier _depositId, Deposit storage deposit, address _claimer)
    internal
    virtual
    returns (uint256)
  {
    _checkpointGlobalReward();
    _checkpointReward(deposit);

    uint256 _reward = deposit.scaledUnclaimedRewardCheckpoint / SCALE_FACTOR;
    // Intentionally reverts due to overflow if unclaimed rewards are less than fee.
    uint256 _payout = _reward - claimFeeParameters.feeAmount;
    if (_payout == 0) return 0;

The problem is that the fee isn’t a portion of the rewards, meaning that whatever the rewards, the same fee will be paid, which is unfair for all stakers. Moreover, a user could be incentivized to avoid claiming their rewards multiple times in order to limit the fees paid.

Impact

Users could pay fewer fees by claiming their rewards only once, thereby limiting the fees paid, which would result in a loss for the protocol. Moreover the fees are unfair since everyone pay exactly the same fees.

Code Snippet

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L710-L721

Tool used

Foundry

Recommendation

The protocol should implement fees that adapt to the rewards received.