I'd think that's actually by design. If entering a duplicate URL forced it to reset the expiration, for example, you could effectively have a script that just kept submitting the URL and make a permanent link to whatever site you were targeting. A captcha could fix that (perhaps some kind of check for number of times a URL was re-submitted, and if too many, start doing CAPTCHA). Or a maximum time-period for a link to be active including refreshes (say something like 48-96 hours).
But yes, I imagine the word-pool can get exhausted fairly quickly under an attack.
I think that the maximal renewal time should be proportional to the expiration time.
If, for example, the original expiration time is 5 minute, during the first 5 minutes any new resubmission of the URL gets the same address, and the time is extended to 5 minutes. After these 5 minutes, the address is still available if it life was extended, but any new resubmission get another address.
In this way the shortcut is active between 5 and 10 minutes, and at any time there are at most two shortcuts for each original URL (for each expiration interval).
But yes, I imagine the word-pool can get exhausted fairly quickly under an attack.