The claim() function in the RewardsDistributor does not always claim all of the pending rewards for a given tokenId. This is because the _claimable() function has a finite for loop that does 50 iterations. However, the withdraw() function in veALCX only calls claim() once before permanently burning the token. This can lead to a permanent freezing of unclaimed yield if the 50 iterations are not sufficient.
Vulnerability Details
The _claimable() function in the RewardsDistributor has the following main loop:
Notice that this loop only does a maximum of 50 iterations. This is fine on its own, because calling claim() multiple times will progress the rewards claiming in multiples of 50 iterations.
However, consider the following code in the withdraw() function of the veALCX contract:
// Claim any unclaimed ALCX rewards and FLUX
IRewardsDistributor(distributor).claim(_tokenId, false);
IFluxToken(FLUX).claimFlux(_tokenId, IFluxToken(FLUX).getUnclaimedFlux(_tokenId));
// Burn the token
_burn(_tokenId, value);
Since this only calls claim() once, this will only do 50 iterations within the _claimable() calculation, which can be insufficient for claiming all of the user's unclaimed ALCX rewards.
Impact Details
Yield is permanently frozen whenever a user calls withdraw() on a tokenId that needs more than 50 iterations to claim remaining rewards. This can happen if the tokenId has been deposited and left alone for a long time (perhaps with maxLockEnabled == true). It can also happen if the user has checkpointed many times before (notice that weekCursor += WEEK only happens in the else case of the main loop, so claim() may not even progress a single week).
References
See the PoC below.
Proof of Concept
I have created the following test file and added it to the tests/ directory:
