Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

The getNFTPrice function in the LendingPool contract does not validate whether the price is stale

biakia

Summary

The getNFTPrice function in the LendingPool contract retrieves the latest price and timestamp of an NFT from the price oracle but does not validate whether the price is stale. If the lastUpdateTimestamp is significantly behind the current block timestamp, the price could be outdated, leading to incorrect NFT valuation. This vulnerability can result in incorrect borrowing, liquidation, and collateralization calculations, potentially compromising the integrity of the lending protocol.

Vulnerability Details

The current getNFTPrice function retrieves the price and timestamp from the oracle but does not check if the timestamp is recent enough:

function getNFTPrice(uint256 tokenId) public view returns (uint256) {

(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);

if (price == 0) revert InvalidNFTPrice();

return price;

}

Stale prices can lead to overvaluation or undervaluation of NFT collateral, affecting borrowing limits and liquidation thresholds. Malicious users could exploit stale prices to borrow more than their collateral is worth or avoid liquidation when their collateral value has dropped. Incorrect valuations can destabilize the protocol, leading to financial losses for lenders and other participants.

Impact

The impact is High, the likelihood is Low, so the severity is Medium.

Tools Used

Maunal Review

Recommendations

To mitigate this issue, we can introduce a maximum allowed age for the price data. If the lastUpdateTimestamp is older than this threshold, the function should revert, indicating that the price data is stale.

// Maximum allowed age for price data (e.g., 1 hour)

uint256 public constant MAX_PRICE_AGE = 1 hours;

/**

* @notice Gets the current price of an NFT from the oracle

* @param tokenId The token ID of the NFT

* @return The price of the NFT

* @dev Reverts if the price is stale (lastUpdateTimestamp is older than MAX_PRICE_AGE)

function getNFTPrice(uint256 tokenId) public view returns (uint256) {

(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);

// Check if the price is zero

if (price == 0) revert InvalidNFTPrice();

// Check if the price data is stale

if (block.timestamp > lastUpdateTimestamp + MAX_PRICE_AGE) {

revert StalePriceData();

}

return price;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.