Funders can deny rewards to last claimants by calling refundDeposit between tiers claims

refundDeposit can be called between tiers claims which will result in last claimants not receiving their rewards.

Let's say several funders contributed to a TieredPercentageBountyV1 bounty 1000 USDC and with payoutSchedule == [50,30,20]. When claimants have validated their obligation, they will be able to call permissionedClaimTieredBounty. Consider the following scenario:

The 2nd and 3rd place claimant first call permissionedClaimTieredBounty and together claim 50% of the available USDC or 500 USDC.

A funder call refund and gets 200 USDC back (assuming all USDC are unlocked).

300 USDC are left and the 1st place claimant call permissionedClaimTieredBounty which will revert because in TieredPercentageBountyV1, claimTiered will call _transferToken with 500 USDC as claimedBalance.

There is several scenarios which will all eventually lead for (at least) the last claimant to not receive his rewards.

Funders can grief the last claimants by calling refundDeposit between tiers claims. Winners of a competition will not get their rewards.

Manual Review

The origin of this issue is that the refundDeposit function can be called by funder after the end of a competition. Therefore, I recommend to stop refunds after the closing of a competition by using require(status == OpenQDefinitions.OPEN, Errors.CONTRACT_IS_CLOSED); in BountyCore.refundDeposit. With this added, if nobody claims the rewards the funds would be locked in the contract. Thus, I additionally recommend adding a permissioned function for the bounty issuer to retrieve funds if necessary when the bounty is closed.