User could not receive even part tokens, if mintAmount > cap
Summary
User could not specify amount of tokens for receiving his reward (in L2MessageReceiver.sol) if already minted amount + reward amount, will be more than cap
Vulnerability Details
Let's assume that the cap of a MOR tokens is 1000, and 990 have already been minted.
If the user call claim() and the amount for mint tokens, for example, 20 MOR, then he will not be able to receive them. And even some of them cannot - 10 pieces. He must wait, while someone will burn tokens and minted amount will decrease. but this may never happen, no one may want to burn their tokens.
So, user should have opportunity to specify amount of tokens(if tx from LZ on l2 in L2MessageReceiver has failed(reverted) ) , which he would like receive now. Other part must be stored for future opportunity for this user.
Impact
User will not receive even part of his reward, if reward(amount of MOR that will be mint) + already minted tokens will be greater, that cap value.
Tools Used
Manual review
Recommendations
Mint the maximum possible number of tokens for the user, and save the rest in the contract storage for future opportunities(may be someone will burn his tokens).
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.