Lack Of Total pTokens Minted Tracked

Summary

In the claimPTokens function of the PointTokenVault.sol contract on Line:142-162, there is currently no mechanism to track the total number of pTokens minted for each pointsId. https://github.com/sherlock-audit/2024-07-sense-points-marketplace/blob/main/point-tokenization-vault/contracts/PointTokenVault.sol?plain=1#L142-L162

Root Cause

Current Mechanism:

Claim Tracking: The contract uses the claimedPTokens mapping to record the amount each user has claimed per pointsId.
Minting: Upon claiming, the function calculates a mint fee and mints the net amount of pTokens to the user.

Attack Path

Attack Path:

Indirect Exploitation: While not a direct attack vector, the lack of tracking could be indirectly exploited if decisions are made based on incorrect assumptions about the total supply.

Impact

Potential Issues:

Lack of Aggregate Tracking: The absence of a total supply tracker for each pointsId complicates auditing and verifying the overall distribution of pTokens, which may be necessary for transparency or governance.
Potential for Oversight: Although not a direct security threat, the lack of aggregate tracking could lead to oversight in monitoring the total supply of pTokens, potentially affecting economic models or governance decisions.
Economic Model Risks: If the protocol depends on total supply data for economic calculations or governance, the absence of tracking could result in incorrect assumptions or decisions.

Mitigation

Mitigations:

Total Supply Tracking: Implement a mechanism to track the total number of pTokens minted for each pointsId. This can be achieved by incorporating a counter that increments with each mint operation.

sherlock-audit / 2024-07-sense-points-marketplace-judging

Cool Cream Rhino - Lack Of Total pTokens Minted Tracked #204