Missing validation check in createPool can result in loss of user funds
Description
The function createPool(...) can be called on an already existing pool when additionalRate > 0 && lockupPeriod == 0. The check for a preexisting pool in initPool only addresses the case of (lockupPeriod >= MIN_LOCKUP && additionalRate == 0) by using the following check require(pools[poolId].lockupPeriod == 0, 'ER002').
Impact
A malicious user could recreate an already existing pool. This would reset the PoolQueue(...), which tracks the positions in the queue of the consumer and producer orders. These orders would effectively be taken out of the matching algorithm. If the pool had only processed a limited number of orders, the previous orders could easily be overwritten and no longer modified using modifyExistingOrder(...). Once overwritten, there would be no way to retrieve the funds from the PoolSmartWallet.
Recommendations
Expand the require checks in initPool(...) to the following:
function initPool(
address asset,
address vault,
uint80 rate,
uint80 _additional_rate,
uint32 lockupPeriod,
uint packetSize
) private returns (bytes32 poolId) {
poolId = getPoolId(asset, vault, rate, _additional_rate, lockupPeriod, packetSize);
require(pools[poolId].lockupPeriod == 0 && pools[poolId].addInterestRate == 0, 'ER002');Remediation
This finding was remediated by Revest in commit f19896868dd2be5c745c66d9d75219f6b04a593c.