Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing Price Staleness Check in the `getNFTPrice()` Function of the `LendingPool` Contract

eta

Summary

The LendingPool contract relies on the getNFTPrice() function to retrieve NFT prices for various operations such as borrowing, liquidation, and collateral calculations. However, the current implementation does not check for the staleness of the price, which could lead to the usage of outdated or incorrect prices during key actions.

Vulnerability Details

Core issue: Missing price staleness check

  • Affected Function: getNFTPrice() used in the LendingPool contract for operations such as borrowing, liquidation, and collateral ratio calculation.

  • Issue: The function retrieves NFT prices without verifying whether the price is recent. If the price oracle is outdated, operations that rely on the price, such as borrowing or liquidating assets, could be affected.

contracts/core/pools/LendingPool/LendingPool.sol:getNFTPrice#L592

/**
* @notice Gets the current price of an NFT from the oracle
* @param tokenId The token ID of the NFT
* @return The price of the NFT
*
* Checks if the price is stale
*/
function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
// @audit: lack of check if the price is stale
if (price == 0) revert InvalidNFTPrice();
return price;
}

Impact

  • Inaccurate Borrowing Decisions: Using outdated prices could lead to incorrect lending or borrowing decisions, exposing the system to financial risks.

  • Increased Risk of Liquidation Errors: Stale prices may cause incorrect liquidation decisions, possibly allowing under-collateralized loans to remain active or incorrectly triggering liquidations.

  • Arbitrage Vulnerabilities: Attackers could exploit stale prices for arbitrage opportunities, profiting from price discrepancies.

Tools Used

Manual code review

Recommendations

To mitigate the risks associated with stale prices, it is recommended to add a price staleness check within the getNFTPrice() function. If the price is older than this period(for example: PRICE_EXPIRY_PERIOD), the function will revert with a error( for example: StalePriceError), ensuring that only fresh prices are used in critical operations.

The following changes should be implemented:

function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
if (price == 0) revert InvalidNFTPrice();
// @audit Add staleness check
+ if (block.timestamp - lastUpdateTimestamp > PRICE_EXPIRY_PERIOD) {
+ revert StalePriceError();
+ }
return price;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!