The Protocol Owner or Emergency Resolver cannot unilaterally invalidate an active market, which will cause a permanent lock of collateral for all market participants if the market outcome is impossible to determine (e.g., source API failure, question ambiguity, or real-world event cancellation).
A real-world event associated with questionId is canceled, permanently delaying, or deemed unresolvable.
The Oracle cannot provide a valid merkleRoot because no outcome has occurred.
Market Participants call MarketController.claimWinnings() in MarketController.sol:349.
The transaction reverts due to require(marketResolver.getResolutionStatus(conditionId), "Market not resolved"); in MarketController.sol:357.
Alfa: the issue seems a bit complex but it is actually quite simple. The merkle root is just how this oracle submits information on chain, which can be verified with a proof. The issue itself is on the fact that if the offchain mechanism fails, there is no way for users to get their on chain collateral back.
Context: Merkle roots are not really needed to understand this issue, but if this annoys you, go read this Cyfrin resource
Conclusion
$720 for this finding is actually quite fair imo, no free moneys, but in reality you don't even need to be a dev to come up with it, it's mostly on the business logic side of not handling the offchain failure.