Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rich Smoke Cheetah - A mallicious bumper can take all the rewards of a user #89

Open
sherlock-admin2 opened this issue Dec 22, 2024 · 0 comments
Open

Rich Smoke Cheetah - A mallicious bumper can take all the rewards of a user #89

sherlock-admin2 opened this issue Dec 22, 2024 · 0 comments
Labels
Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin2
Copy link

Rich Smoke Cheetah

High

A mallicious bumper can take all the rewards of a user

Summary

If the rewards are less than the maxBumpTip the the bumper can take absolutely all the rewards.

Vulnerability Detail

Here we can see that the tip that will be received in the bumpEarningPower must be less or equal to the minimum between the unclaimed fees and the maxBumpTip in the bumpEarningPower function.

    uint256 _unclaimedRewards = deposit.scaledUnclaimedRewardCheckpoint / SCALE_FACTOR;

    (uint256 _newEarningPower, bool _isQualifiedForBump) = earningPowerCalculator.getNewEarningPower(
      deposit.balance, deposit.owner, deposit.delegatee, deposit.earningPower
    );
    if (!_isQualifiedForBump || _newEarningPower == deposit.earningPower) {
      revert GovernanceStaker__Unqualified(_newEarningPower);
    }

    if (_newEarningPower > deposit.earningPower && _unclaimedRewards < _requestedTip) {
      revert GovernanceStaker__InsufficientUnclaimedRewards();
    }

    // Note: underflow causes a revert if the requested  tip is more than unclaimed rewards
    if (_newEarningPower < deposit.earningPower && (_unclaimedRewards - _requestedTip) < maxBumpTip)
    {
      revert GovernanceStaker__InsufficientUnclaimedRewards();
    }

Otherwise, the call will revert because of an underflow or a custom error. But if the reward is less than the maxBumpTip and the user gain earning power then the bumper could request all his reward.

attack path

Bob is a depositor, and his earning power continuously increases.
Alice is a malicious user who wants to steal all of Bob’s rewards.
Alice calls bumpEarningPower every time Bob gains some rewards in order to continuously take all the rewards.
As a result, Bob will never gain his rewards.

Impact

The Bumper will steal all the depositor's reward.

Code Snippet

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L483-L500

Tool used

Manual Review

Recommendation

The tip should be a portion of the rewards and then becoming a constant in order to avoid this type of attack.
@sherlock-admin3 sherlock-admin3 added the Won't Fix The sponsor confirmed this issue will not be fixed label Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3