getNFTPrice in LendingPool has no checks in place to check for stale prices
Description
LendingPool::getNFTPrice is supposed to check if the provided price for given NFT is current enough for any action relying on the function, and probably, if not, revert. Even though the natspec highlights this functionality, the function fails to implement this logic.
Vulnerable Code
LendingPool::getNftPrice
As you can see in the natspec and the code, the function should perform a staleness check, fetched the lastUpdateTimestamp but in the end, no checks on the staleness are performed.
Impact
No stale data check can leave the property not updated for extensive periods of time. The impact arising is, that the NFT could have gained or lost value since it was last updated, but since no timeframe is enforced the last update could be weeks, months, years or decades old. The result of this is that the real fair value of this NFT might be over- or underestimated in current state, so either a user which would be due to liquidation would not be liquidatable or potentially missing out on gains his NFT would usually have provided. Either way, the protocol should implement proposed staleness check from the natspec to ensure that no action regarding the NFT can be taken until the price is evaluated in a current past, to prevent harm from protocol or user.
Tools Used
Manual Review
Recommended Mitigation
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.