Submission Details
Severity:
No Check On Price Staleness Leading To Bad Debts In The Protocol
Summary
The protocol relies on a single priceOracle for NFT prices, which can be manipulated or compromised, leading to incorrect collateral valuations.
Vulnerability Details
The getNFTPrice function fetches prices from a centralized oracle without staleness checks or fallback mechanisms:
function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 timestamp) = priceOracle.getLatestPrice(tokenId);
require(price > 0, "Invalid NFT price");
return price; // @audit no staleness check
}
Impact
Incorrect Valuations: Attackers can manipulate NFT prices to borrow excessive funds.
Bad Debt: Protocol accumulates undercollateralized loans during market crashes.
Tools Used
manual review
Recommendations
Add staleness checks and circuit breakers:
function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 timestamp) = priceOracle.getLatestPrice(tokenId);
require(price > 0, "Invalid NFT price");
+ require(block.timestamp - timestamp <= MAX_ORACLE_STALE_TIME, "Stale price");
return price; // @audit no staleness check
}
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.