Missing Staleness Check in Oracle Price Updates
Summary
The protocol does not enforce a staleness check on oracle price updates, allowing outdated prices to be used in critical calculations.
Details
RAACHousePriceOracle::_processResponse calls RAACHousePrices::setHousePrice to set the price of a house NFT from off-chain api oracle response, which LendingPool::getNFTPrice uses to fetch the data from.
The problem is, there is no staleness check implemented anywhere in this flow. In getNFTPrice, lastUpdateTimestamp is pulled from getLatestPrice but not even used.
There is never a guarantee that the oracle will return up to date prices, and this protocol, in its current handling of the flow, does not check or assure that to be the case.
Impact
The absence of a staleness check exposes the protocol to risks where lending decisions are based on outdated or incorrect prices. This could lead to undercollateralization, inaccurate liquidations, or price manipulation exploits.
Recommendation
Implement a staleness check to ensure that only recent and valid prices are used. Before accepting a price update, verify its timestamp against an acceptable threshold to mitigate the risk of outdated or manipulated data.
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.