Lack of check for NFT price lastUpdateTimestamp, it might cause calculation for collateral have a wrong result because of stale price
Summary
Lack of check for NFT price lastUpdateTimestamp, it might cause calculation for collateral have a wrong result because of stale price
Vulnerability Details
Collateral value of the user is determined from the price of RAACNFT.sol. This value is obtained by calling the function getUserCollateralValue() -> getNFTPrice().
Problem arise when reading the NFT price data, the main problem is that there is no check whether the price is the most updated price or a stale price because based on information from the protocol team, the NFT price will be updated at least 2-3 times a year.
In this way, the use of stale price can cause miscalculation for collateral value for user and can be detrimental to them (in worst case leading to the user being liquidated).
Impact
Miscalculation for collateral value for user
Tools Used
Manual Review
Recommended Mitigation
Consider add check for lastUpdateTimestamp
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.