Gorgeous Caramel Bird - **A User** may lose their entitled _rewards_ that were accumulated up until when His **staked token ** was purchased/sold in the marketplace

[sherlock-admin2]

Gorgeous Caramel Bird

Medium

A User may lose their entitled rewards that were accumulated up until when His **staked token ** was purchased/sold in the marketplace

Summary

When a staked token is sold on the marketplace, the seller risks losing accumulated rewards due to the absence of an updateRewards call during purchase. Since rewards are calculated based on the current staked balance, the seller forfeits unclaimed rewards once their balance is updated after the sale.

Root Cause

The absence of the updateRewards function call when the purchase function is called results in users potentially receiving less than their entitled accumulated rewards. In some cases, they may not be able to claim any rewards at all—particularly when their entire balance has been listed for sale on the marketplace. This occurs because the system fails to update the user's reward entitlement before the transaction, leading to a loss of previously accumulated rewards.

Internal Pre-conditions

1. A user must list their token on the marketplace. This ensures that they remain entitled to the rewards stream as long as the streaming period has not exceeded the deadline.

2. While the staked token is listed on the marketplace, the user has not claimed any of their accumulated rewards until their staked token is purchased from the marketplace.
   [https://github.com/sherlock-audit/2025-03-pinlink-rwa-tokenized-depin-marketplace/blob/34cd70b66f1dbe191bd6f946e42f58eef4a00166/marketplace-contracts/src/marketplaces/pinlinkShop.sol#L288-L347
   https://github.com/sherlock-audit/2025-03-pinlink-rwa-tokenized-depin-marketplace/blob/34cd70b66f1dbe191bd6f946e42f58eef4a00166/marketplace-contracts/src/marketplaces/streams.sol#L143-L151
   https://github.com/sherlock-audit/2025-03-pinlink-rwa-tokenized-depin-marketplace/blob/34cd70b66f1dbe191bd6f946e42f58eef4a00166/marketplace-contracts/src/marketplaces/streams.sol#L130-L134](url)

External Pre-conditions

There is no interaction with an external protocol

Attack Path

1. A user must list their token on the marketplace. This ensures that they remain entitled to the rewards stream as long as the streaming period has not exceeded the deadline.

2. While the staked token is listed on the marketplace, the user has not claimed any of their accumulated rewards until their staked token is purchased from the marketplace.

3. Since the purchase of the token occurs immediately after the buyer calls the purchase function with the required balance, the token is transferred out of the seller’s balance.

4. When the user attempts to claim their reward, their current staked balance is used to calculate the earned rewards. However, this results in forfeiting the rewards they were entitled to while the token was listed on the marketplace.

Impact

A user who is Incentivised to deposit or leave there stakedToken because of the reward being issued might end up not being rewarded In addition this breaks the Invariant of the protocol that :

Rewards are distributed among owners of the asset, proportionally to their share of fractions
- Users earn rewards while the fractions are in Pinlink shop, regardless if they are listed for sale or not

PoC

No response

Mitigation

Add the updateReward function call in the purchase function so that the mapping(address => uint256) pendingRewards; and updatedRewardsPerStaked; can be updated before the user token balance is updated during purchase