Stale Price Check Missing in `RAACNFT` NFT Minting
Summary
In the RAACNFT::mint() function, the price for a given _tokenId NFT is fetched from RAACHousePrices::tokenToHousePrice(), but there is no check to verify whether the price is stale. If the price is outdated and lower than the actual price, buyers may end up paying less than intended for the NFT.
Vulnerability Details
The RAACNFT::mint() function relies on RAACHousePrices::tokenToHousePrice() to retrieve the price for a given NFT _tokenId. However, it does not perform any validation to ensure the returned price is current or up-to-date. If the price is stale and lower than the actual price, the buyer can mint the NFT at a discount, which could lead to financial losses.
Impact
The absence of a stale price check can result in buyers paying less than intended for NFTs.
Tools Used
vscode
Recommendations
Implement a check to ensure the price retrieved from RAACHousePrices::tokenToHousePrice() is not stale.
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.