Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increasing the earning power of a deposit may fail in certain cases #35

Open
jokrsec opened this issue Dec 7, 2024 · 3 comments
Open

Increasing the earning power of a deposit may fail in certain cases #35

jokrsec opened this issue Dec 7, 2024 · 3 comments
Labels
Low/Info A Low/Info severity issue.

Comments

@jokrsec
Copy link
Collaborator

jokrsec commented Dec 7, 2024

Summary

Bumping to increase the earning power of a deposit might fail in valid scenarios.

Vulnerability Detail

Consider a case where the earning power of a deposit is zero, but a few unclaimed rewards exist for the deposit. The user claims the rewards, where a portion is deducted as a claiming fee, and the remaining amount is received by the user. At this point, there will be no more unclaimed rewards.

However, if the delegate of the deposit later becomes eligible, the deposit needs to be bumped to increase its earning power. Since there are no unclaimed rewards in the deposit, the bumpEarningPower function would revert due to the following check:

if (_newEarningPower > deposit.earningPower && _unclaimedRewards < _requestedTip) {
  revert GovernanceStaker__InsufficientUnclaimedRewards();
}

Impact

It is important to bump the deposit immediately when the delegate becomes eligible. However, due to the issue mentioned above, this fails, and the user loses rewards until they manually interact with their deposit. Note that claimRewards would also fail, so the user must use any other action such as withdraw, stakeMore or alter functions to update the deposit state in order to increase its earning power.

Code Snippet

https://github.com/sherlock-audit/2024-11-tally/blob/main/govstaking/src/GovernanceStaker.sol#L489-L491

Tool used

Manual Review

Recommendation

Add a check in the claimReward function to ensure that at least an amount equivalent to maxBumpTip remains in the deposit
@jokrsec jokrsec added the Medium A Medium severity issue. label Dec 7, 2024
@alexkeating
Copy link

We believe this is a non issue. The check would not revert if requested tip is 0 when rewards are 0, and a depositor can bump their own deposit without having to do any of the actions mentioned.

@jokrsec
Copy link
Collaborator Author

jokrsec commented Dec 11, 2024

I believe that would cause issues because:

  1. No one would call bumpEarningPower for a 0 tip.
  2. While it's true that a user could bump it with a 0 tip, this still requires the user to monitor and take action (like mentioned in the report)

@jokrsec jokrsec added Low/Info A Low/Info severity issue. and removed Medium A Medium severity issue. labels Dec 13, 2024
@alexkeating
Copy link

Wont fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Low/Info A Low/Info severity issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexkeating @jokrsec