Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect price scaling in `RAACHousePriceOracle::_processResponse`

0xlouistsai

Summary

The _processResponse function in RAACHousePriceOracle does not properly account for the price scaling factor applied in the Chainlink script. The script multiplies the house price by 100 to prevent precision issues, but the contract does not adjust for this, leading to incorrect price updates and potential misconfigurations.

Vulnerability Details

The issue arises in the _processResponse function, which decodes the price directly from the response without adjusting for the scaling factor:

// @audit-issue the price is 100 times larger
function _processResponse(bytes memory response) internal override {
uint256 price = abi.decode(response, (uint256));
housePrices.setHousePrice(lastHouseId, price);
emit HousePriceUpdated(lastHouseId, price);
}

Code Reference: https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/oracles/RAACHousePriceOracle.sol#L43

However, the Chainlink script applies a multiplication factor of 100 before encoding the price:

const houseId = args[0]
const API_URL = `http://34.226.139.10:3000/v1/houses/${houseId}`
const housePriceRequest = await Functions.makeHttpRequest({
url: API_URL,
headers: { Authorization: `Bearer ${secrets.apiKey}` },
})
if (!housePriceRequest.data) {
console.log(housePriceRequest)
throw new Error("Failed to fetch house price data from the API.")
}
// The response from the API is expected to be in JSON format
const housePrice = housePriceRequest.data.price
// @audit-issue Multiply by 100 to convert the price to an integer
return Functions.encodeUint256(housePrice * 100

Code Reference: https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/chainlink-api/house-price-api.js#L48

Steps leading to the problem

  1. The Chainlink script fetches the house price from an API.

  2. Before returning the price, the script multiplies it by 100 to maintain precision.

  3. The contract receives the response but does not divide the price by 100 before storing it.

  4. As a result, the stored house price is 100 times larger than expected, leading to inaccurate price settings.

Impact

  • Incorrect House Prices: The house prices stored in the contract will be 100 times larger than the actual intended values.

  • Financial Misconfigurations: Any contracts relying on these prices may experience incorrect calculations, leading to financial discrepancies.

Tools Used

Manual Review

Recommendations

By dividing the received price by 100, the contract ensures that the stored price matches the expected real-world value.

To resolve this issue, the contract should adjust the price before storing it in setHousePrice:

function _processResponse(bytes memory response) internal override {
uint256 price = abi.decode(response, (uint256));
- housePrices.setHousePrice(lastHouseId, price);
+ housePrices.setHousePrice(lastHouseId, price / 100); // Adjust for scaling
emit HousePriceUpdated(lastHouseId, price);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePriceOracle::_processResponse doesn't account for the price scaling applied by Chainlink Functions

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePriceOracle::_processResponse doesn't account for the price scaling applied by Chainlink Functions

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.