Lock Duration Extension on Additional Deposits
Summary
In the MarketCreator contract, when a user who already holds a position in a market deposits additional assets through the participateInMarket function, the lockEndTime for their entire position is reset to the current timestamp (block.timestamp) plus the market's predefined lock duration (market.lockDuration). This means that both the existing funds and the newly deposited assets are subject to a refreshed lock period, potentially delaying the user's ability to withdraw or redeem their funds.
Vulnerability Details
The issue stems from the logic implemented in the participateInMarket function. The relevant code is as follows:
For Existing Positions: If the user already has a position in the market, the new deposit amount is added to the existing position, and the lockEndTime is updated to block.timestamp + market.lockDuration. This resets the lock period for the entire position, not just the additional deposit,
For New Positions: If the user has no prior position, a new position is created with a lockEndTime set to block.timestamp + market.lockDuration.
Impact
Users might hesitate to deposit additional funds if they realize it extends the lock period for their existing assets. This could discourage participation in the market.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.