User can just frontrun and withdraw their NFT before the price drop is implemented by oracle to the protocol’s detriment
Summary
Users can exploit mempool visibility to withdraw their NFT at a stale price before an updated, lower price is set by the oracle.
Details
RAACHousePriceOracle::_processResponse calls RAACHousePrices::setHousePrice to set the price of a house NFT from off-chain api oracle response.
Imagine the scenario where there’s sudden crash in price of the NFT, and the user is monitoring the mempool. They see that the oracle/owner has called RAACHousePrices::setHousePrice with a significantly lower value for their NFT, say it was worth 100, and setHousePrice is called with 50, the user can simply see this in the mempool and withdraw their NFT with the stale price.
Impact
This allows users to front-run price updates and withdraw their NFT at an outdated valuation, leading to financial discrepancies and potential losses for the protocol.
Recommendation
It is tricky, but something like this could help: When a price change is about to occur, implement a lock on the NFT in question, so that the user cannot withdraw their NFT. Only then call the setHousePrice function with the new value so that it is not visible in the mempool before the lock. This could work, because the user would only see the lock action, and they cannot know whether the price of their NFT will rise or fall, so they don’t have an incentive to withdraw immediately.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.