Double-refund vulnerability in release_creation_deposit

[hman38705]

Description
release_creation_deposit (Line 211) checks if market.creation_deposit > 0 and then performs a transfer. However, it does not set the market.creation_deposit field to 0 after the transfer. A malicious actor (or even a bug in the loop) could repeatedly call this function as long as the market remains Resolved, draining the contract's balance if multiple depositors are involved.

Requirements and context

• Set the deposit amount in the market struct to 0 immediately after a successful transfer.
• Implement the Checks-Effects-Interactions pattern strictly.

Suggested execution

• Fork the repo and create a branch: git checkout -b fix/issue-83-double-refund-guard
• Update the deposit release logic.

Implementation changes

• Modify markets.rs (around line 228) to update the market state before or immediately after the transfer.

Test and commit

• Verify that a second call to release_creation_deposit for the same market returns successfully but performs no transfer.

Example commit message
fix: prevent double-refund of creation deposits by zeroing state after release

Guidelines

• Re-entrancy and double-spend protection.
• Timeframe: 24 hours.

[manuelusman73-png]

@manuelusman73-png has applied to work on this issue as part of the Stellar Wave Program's 3rd wave.

Hi Maintainer Can I work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @manuelusman73-png to this issue.

[drips-wave]

Congratulations, @manuelusman73-png! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on March 30, 2026.

🧑‍💻 @manuelusman73-png: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊