User only can claim reward when the reward is distributed by calling claimPrize() function.
function claimPrizes(
uint8 _tier,
address[] calldata _winners,
uint32[][] calldata _prizeIndices,
uint96 _feePerClaim,
address _feeRecipient
) external returns (uint256) {
if (msg.sender != _claimer) revert CallerNotClaimer(msg.sender, _claimer);
uint totalPrizes;
for (uint w = 0; w < _winners.length; w++) {
uint prizeIndicesLength = _prizeIndices[w].length;
for (uint p = 0; p < prizeIndicesLength; p++) {
totalPrizes += _claimPrize(
_winners[w],
_tier,
_prizeIndices[w][p],
_feePerClaim,
_feeRecipient
);
}
}
return totalPrizes;
}
This function is only can called by _claimer role:
if (msg.sender != _claimer) revert CallerNotClaimer(msg.sender, _claimer);
If vault owner set themselves as claimer or set claimer is his/her controlled address, he simply just not execute function, which make users cant claim rewards.
Proof of Concept
As described
Tools Used
Manual review
Recommended Mitigation Steps
Consider removing claimer role and make other mechanism for user claim reward right after it is distributed
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L607-#L632
Vulnerability details
Impact
User only can claim reward when the reward is distributed by calling claimPrize() function.
This function is only can called by _claimer role:
If vault owner set themselves as claimer or set claimer is his/her controlled address, he simply just not execute function, which make users cant claim rewards.
Proof of Concept
As described
Tools Used
Manual review
Recommended Mitigation Steps
Consider removing claimer role and make other mechanism for user claim reward right after it is distributed
Assessed type
Other