[HIGH] Distributed lock TTL expires during long Stellar operations

[DeFiVC]

Description

The distributed lock in src/utils/lock.ts:13-19 uses PX ttlMs with a 10s default TTL. Stellar contract invocations involve Horizon load, simulation, and submission — easily exceeding 10s. When TTL expires, Redis auto-releases the lock, and a concurrent request acquires it, defeating double-claim/double-mint protection.

No lock renewal/heartbeat mechanism exists.

Impact

Mutual exclusion is lost for any operation exceeding 10s. Critical for reward claiming and credential minting which call external Stellar APIs.

File

src/utils/lock.ts:13-19
Called by: src/modules/rewards/reward.service.ts:93, src/modules/credentials/credential.service.ts:30

Suggested Fix

Increase the default TTL (e.g., 30s) and implement a heartbeat/renewal mechanism that extends the TTL while the lock holder is still working.

[Clement-coder]

Hello, I'm a Full Stack Blockchain, Mobile, and Software Engineer with experience building scalable applications, smart contracts, APIs, and modern user-focused products.

I've reviewed this issue and understand the requirements and expected outcome. My background allows me to quickly analyze problems, implement efficient solutions, and maintain high code quality throughout development. I'm confident in my ability to deliver a clean, well-tested, and maintainable solution, and I'd be excited to contribute to this project.

[Mitch5000]

Hi Boss... I can handle this professionally and make sure that your issue is closed quickly without errors.

[Menjay7]

Hi! I came across this issue and would love to work on it. I have experience with similar tasks and I'm confident I can investigate, implement a clean solution, and thoroughly test it before submitting a PR. If the issue is still open, I would appreciate it if you could assign it to me. Thank you!

[9904099]

Submitted PR: #43

What changed:

• The shared Redis withLock helper now renews the TTL while the protected operation is still running.
• Renewal uses the same random lock token as release, so it cannot extend or delete another holder's lock.
• The default TTL is increased to 30s, and renewal failures are contained so transient Redis errors do not crash the active Stellar operation.
• Added focused unit coverage for renewal during a long operation and the token-guard behavior when the lock value changes.

Validation completed:

• npm ci --ignore-scripts --no-audit --no-fund
• npm test -- tests/unit/utils/lock.test.ts
• npm test -- tests/unit/services/concurrent-safety.test.ts
• npm run typecheck
• npm run build
• git diff --check

Public contact for reward follow-up if accepted: 50889616@qq.com

[grantfox-oss]

🦊 GrantFox — @Mitch5000 has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #27)
2. Your PR will be reviewed by the ChainLearnOfficial maintainers

Good luck! Track your progress on GrantFox.

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@Mitch5000's PR #55 was approved and merged by @DeFiVC.

🏆 @Mitch5000: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (191 total points). Track your full progress on GrantFox.

👏 Great work, @Mitch5000! Keep contributing to ChainLearnOfficial.