Core Contracts

Summary

In the MarketCreator contract, each additional deposit resets the lockEndTime to block.timestamp + market.lockDuration without considering the existing lock period. This can result in the lockEndTime exceeding the intended maximum duration MAX_LOCK_DURATION relative to the original deposit, causing users to wait longer than expected. Such behavior may break protocol expectations and discourage users from making additional deposits.

Vulnerability Details

When a user deposits for the first time, their funds are locked until:

For example, with a market.lockDuration of 365 days, an initial deposit at time 0 locks funds until day 365.
If the same user deposits additional funds later—say on day 360—the contract resets the lockEndTime to:

At day 360, this results in a new lockEndTime of day 725 (360 + 365), effectively extending the lock period beyond the intended 365 days from the original deposit.

The issue occurs because there is no check to verify that the additional or extension exceeds the MAX_LOCK_DURATION

Impact

• Extended Lock Period:
  Users may find that their funds remain locked for significantly longer than the advertised MAX_LOCK_DURATION, resulting in frustration and loss of trust.

• Disincentivized Additional Deposits:
  Since subsequent deposits extend the lock period, users may be discouraged from adding more funds after their initial deposit, negatively impacting market participation and protocol liquidity.

• Protocol Inconsistency:
  This behavior breaks the protocol’s intended design by allowing the lock period to exceed MAX_LOCK_DURATION, potentially leading to unforeseen issues with fund accessibility and user experience.

Tools Used

manual review

Recommendations

Enfore a check to verify that the new extension doesn't exceed the MAX_LOCK_DURATION