Core Contracts

Summary

One of the key features of the RAAC protocol is the ability to mint your own real estate assets. This process is described in the documentation:

User Flows

Tokenizing a Property

1. The user owns a property worth 10,000 crvUSD.

2. They provide the necessary collateral.

3. An NFT representing the property is minted (spending those 10,000 crvUSD).

The price of the real estate on-chain is determined through Chainlink oracles. When the price is fetched, it is set in the RAACHousePrice contract.

Vulnerability Details

This process can be exploited through frontrunning when minting a property.

Proof of Concept (PoC):

1. Alice owns a property worth 100,000 crvUSD.

2. The property gets listed as the price is fetched from the oracle.

3. Alice provides the necessary collateral.

4. Bob carefully monitors the mempool and notices Alice’s mint transaction.

5. Bob frontruns Alice by submitting his transaction first with the required collateral.

6. Bob successfully mints and takes ownership of Alice's estate within the protocol.

Impact

This vulnerability disrupts the intended process of tokenizing a user's own real estate, as the user no longer retains ownership after minting. Most users tokenize their property expecting future profitability.

1. The user incurs financial loss due to swap fees for the collateral. If the real estate is expensive, these fees can be significant.

2. If the property was expected to appreciate in value, the malicious actor (Bob) now benefits from this increase instead of the rightful owner.

Tools Used

Manual review

Recommendations

Make mapping that maps the estate owner to every tokenId