Summary

Right now, there is no restrictions on user to transfer his nft to other user. So two possiblities is there,
1) transfer is allowed

2) transfer should not be allowed , as kyc check is there for user

Vulnerability Details

if acc to current code , if direct transfer is allowed, there can be any case where user will chose to transfer his nft to other address, as might his wallet has got compromised or got blacklisted by tokens like USdc, due to any conditions, even if its not his fault,

so right now in curent situtaion, whenever user will direct transfer , savedProfit is called before the updation of balance.

now lets consider, user have 1 token ID, he has not claimed yet, and he knows somehow his wallet get blocked by usdc,.

if usdc would be reward currency, then problem would occur like

after transsfer , for that total Profit, balacne will be get saved in his orginal wallet ,and after tranfer all rewards after then next sendprofit or say difference can be claimed in new wallet.

now that saved profit in old wallet will be useless as , he can claim profit theough that wallet only, and which is blocked.
wallet tranefr can be any reason, not just this

Impact

rewards are being distributed to different wallets after being transfer, instead it should transfer saved profit to new address too, and if already claimed profit ( saved profit is 0) then only nft should be transfered

Tools Used

Manual Review

Recommendations

saved profit accounting in should be changed, when direct transfer and rewards balancing should also be + and - after trasfer