Core Contracts

Summary

The LendingPool's getNFTPrice() function retrieves NFT prices from the oracle without validating the age of the price data. While the function receives a timestamp from the oracle, it does not implement any staleness checks, potentially allowing critically outdated price data to be used for collateral calculations.

Vulnerability Details

The getNFTPrice() function in LendingPool retrieves prices from the oracle but ignores the timestamp:

The function:

1. Retrieves both price and lastUpdateTimestamp from the oracle

2. Validates the price is non-zero

3. Ignores the lastUpdateTimestamp completely

4. Returns the price regardless of how old it is

This price data is used in critical collateral calculations, including:

• Calculating user health factors

• Determining maximum borrow amounts

• Making liquidation decisions

Impact

Without staleness checks, the system could use severely outdated price data for critical operations:

1. In normal market conditions:

   • House prices typically move slowly, mitigating some risk

   • However, even normal market movements could become significant if prices are months or years old

2. In crisis conditions:

   • Real estate prices can experience rapid declines

   • Using stale prices could prevent timely liquidations

   • System could allow borrowing against inflated historical valuations

3. In oracle failure scenarios:

   • If the oracle stops updating, the system would continue using the last known price indefinitely

   • No mechanism exists to detect or prevent this condition

The impact is somewhat mitigated by the natural stability of real estate prices compared to more volatile assets, but remains significant given the critical nature of price data in lending operations.

Recommendations

Implement appropriate staleness checks in the getNFTPrice() function: