Currently there is no incentive for the user to unlock their tokens from the system even if their unlock time has passed. This is because the quantity is still being considered in schnibble calculations and bonuses in BonusManager only consider the lock duration.
What a user could do is to make 0 value unlock() calls and claim the harvested rewards without ever unlocking. That way user does not need to lock the tokens ever and can receive the rewards directly.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L401
Vulnerability details
Impact
Currently there is no incentive for the user to unlock their tokens from the system even if their unlock time has passed. This is because the quantity is still being considered in schnibble calculations and bonuses in BonusManager only consider the lock duration.
What a user could do is to make 0 value unlock() calls and claim the harvested rewards without ever unlocking. That way user does not need to lock the tokens ever and can receive the rewards directly.
The user can then withdraw the token directly.
Recommended Mitigation Steps
Assessed type
Error