In this function there is no need for address _to. In this case address _to must be msg.sender.
Proof of Concept
User can miserably set wrong address _to and loss his tokens. To prevent this we need to remove address _to from this function and instead of it write msg.sender like this`
function withdrawClaimRewards(uint256 _amount) external {
uint256 _available = claimerRewards[msg.sender];
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L483
Vulnerability details
Impact
In this function there is no need for address _to. In this case address _to must be msg.sender.
Proof of Concept
User can miserably set wrong address _to and loss his tokens. To prevent this we need to remove address _to from this function and instead of it write msg.sender like this` function withdrawClaimRewards(uint256 _amount) external { uint256 _available = claimerRewards[msg.sender];
}
Except from loss of tokens this technique also allow to consume less gas.
Assessed type
Token-Transfer