Excess rewards can't be withdraw until all deposits are withdrawn. It is possible to withdraw rewards for other users after pool.endTime however that could require a lot of effort, gas and from security perspective "pull" mechanism is much better than "push". There will be always a significant amount of excess rewards because:
users can deposit only after the startTime
pools have enough funding to reward maximumDepositWei from pool.startTime to pool.endTime
Pools definitely will not have maximumDepositWei already at pool.startTime.
This is explicitly addressed in the comments of the contract. Keeping track of everyone's rewards is a linear problem, not feasible for smart contracts.
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L245
Vulnerability details
Impact
Excess rewards can't be withdraw until all deposits are withdrawn. It is possible to withdraw rewards for other users after pool.endTime however that could require a lot of effort, gas and from security perspective "pull" mechanism is much better than "push". There will be always a significant amount of excess rewards because:
Recommended Mitigation Steps
Change the logic of withdrawExcessRewards() so it would be possible to withdraw excess reward proportionally to the pool.totalDepositsWei if all deposits are not withdrawn https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L242