stake.link

Summary

SDLPool.sol::_createLock function does not implement a time control on Lock creation causing miners to have sole control on when to create a Lock

Vulnerability Details

The SDLPool.sol::_createLock function fails to implement a time control which should always be checked before a Lock is created to ensure that we are creating the Lock within the specified duration of the Lock Owner, if the check fails it simply means the duration for which the user would like their Lock to be created has already elapsed and the call should revert. This way user would have control on when their Lock should be created so they can be sure how long they are waiting for if they choose to Lock their stake

Impact

In a scenario where due to some unforeseen circumstances the Lock is not created for days or weeks after a user make a call to stake their SDL and create a Lock , user don't have any control to guard themselves from the Lock being created after weeks or days of their time have been wasted which would make it so user would have some additional days or weeks to wait for on top of their original Locking period which isn't really economical on the user as time is money. This scenario can be treated the same way we would treat a user placing a swap on dex without setting a minimum output they are okay with but with a lesser impact of course.

Tools Used

Manual Review

Recommendations

There should be some sort of createLockExpiryTime input which would simply represent how long a user is willing to wait for their Lock to be created, once this time elapsed and the user Lock isn't created yet then the call should be reverted.