LendingPool getNFTPrice() accepts stale price data
Summary
In LendingPool, the getNFTPrice() function is used to fetch NFT prices from the price oracle. The price query returns the price and the last update timestamp of the NFT. The variable lastUpdateTimestamp is never checked, as a result, the function will accept stale price inputs. (There is a separate issue with the last update timestamp, however, in this issue report we will assume that it "just works".)
Vulnerability Details
The function getNFTPrice() is implemented in LendingPool.sol:
It queries the price data for an NFT. The query returns the price and the last update timestamp, however, the timestamp freshness is not checked, and the function may return stale price as a result.
Impact
User collateral value is calculated based on this data source. Stale price data may cause issues in all functions that rely on proper collateral value calculation, including but not limited to:
Borrowing
NFT withdrawal
Health factor calculation and as a result liquidations
Tools Used
Manual review
Recommendations
Consider implementing a data freshness check, such as:
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.