The users at the moment are not able to get their rewards if the root was expired which should not be the case as users may be offline for various reasons or the root was updated too quickly, for instance. This would disincentivize users to use the protocol as they are not able to claim their pTokens even though they were supposed to and deposited their funds into the vault.
Impact
Protocol may use its value as users will not be able to get their rewards even though they deposited into the vault.
Implement some kind of a mapping that stores previous roots (or epochs) or use different functionality to give access to the users to claim the previous pTokens distributions.
Clever Powder Ferret
Low/Info
The users are not able to get their pTokens if the root is expired which should not be the case
Summary
In
PointTokenVault, the users are not able to get the pTokens even if they deposited into the vault if the root was expired.Vulnerability Detail
Take a look at the current implementation of
_verifyClaimAndUpdateClaimed()functionality:https://github.com/sense-finance/point-tokenization-vault/blob/dev/contracts/PointTokenVault.sol#L282-284
The users at the moment are not able to get their rewards if the root was expired which should not be the case as users may be offline for various reasons or the root was updated too quickly, for instance. This would disincentivize users to use the protocol as they are not able to claim their pTokens even though they were supposed to and deposited their funds into the vault.
Impact
Protocol may use its value as users will not be able to get their rewards even though they deposited into the vault.
Code Snippet
https://github.com/sense-finance/point-tokenization-vault/blob/dev/contracts/PointTokenVault.sol#L282-284
Tool used
Manual Review.
Recommendation
Implement some kind of a mapping that stores previous roots (or epochs) or use different functionality to give access to the users to claim the previous pTokens distributions.