Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Same lastUpdateTimestamp used for all the raacNFT tokenIds

ChainProof

Summary

When updating the setHousePrice it override the lastUpdateTimestamp. But lastUpdateTimestamp should be token specific.

Vulnerability Details

setHousePrice function override the previous _tokenId setting time .

function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
lastUpdateTimestamp = block.timestamp;
emit PriceUpdated(_tokenId, _amount);
}

So it caused an issue when retrieving the token price from getLatestPrice.

function getLatestPrice(
uint256 _tokenId
) external view returns (uint256, uint256) {
return (tokenToHousePrice[_tokenId], lastUpdateTimestamp);
}

Consider, tokenId1 updated timestamp1 and tokenId2 updated timestamp2 , then getLatestPrice returns tokenId1 updated at timestamp2 which is incorrect. So price staleness checking cannot be done.

Impact

Incorrect update time returns from getLatestPrice . So unable to validate price staleness.

Tools Used

Manual review

Recommendations

Use token specific timestamp variable like struct to set the price and timestamp.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!