Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Inadequate Stale Price Validation in LendingPool's getNFTPrice Function

igdbaxe

Impact

The getNFTPrice function in the LendingPool contract is intended to verify that NFT price data is fresh by checking for stale prices. However, it only checks that the returned price is non-zero without validating the freshness of the data using the lastUpdateTimestamp. This oversight means that outdated or stale price data can be accepted and used in critical financial computations such as collateral evaluations. Exploiting this flaw, an attacker (or misconfigured oracle) could deliberately delay price updates to supply outdated data, potentially resulting in under-collateralized loans, erroneous liquidations, or other economic manipulations within the lending protocol.

Proof of Concept

  • Affected Code:

    • LendingPool.getNFTPrice

      function getNFTPrice(uint256 tokenId) public view returns (uint256) {
      (uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
      if (price == 0) revert InvalidNFTPrice();
      return price;
      }

      Observation: The function comments indicate that a stale price check is performed, but the actual implementation only validates that the price is nonzero.

    • RAACHousePrices.getLatestPrice

      function getLatestPrice(
      uint256 _tokenId
      ) external view returns (uint256, uint256) {
      return (tokenToHousePrice[_tokenId], lastUpdateTimestamp);
      }

      Observation: This implementation returns the last update timestamp but does not enforce any threshold to determine if the price is stale.

  • Exploitation Scenario:
    An attacker or misconfigured oracle could intentionally postpone updates to the NFT
    price data. Since the getNFTPrice function does not validate the lastUpdateTimestamp,
    the system could end up using stale price information. This outdated data may
    significantly differ from the current market value, leading to erroneous collateral
    valuations and enabling attacks such as under-collateralized borrowing or wrongful
    liquidations.

Tools Used

  • Manual Code Review

Recommended Mitigation Steps

Implement a Staleness Check:
Add logic in the getNFTPrice function (or in the oracle) to compare block.timestamp with lastUpdateTimestamp. Define an acceptable time window (e.g., 5 minutes) beyond which the price data is considered stale and should trigger a revert.

function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
if (price == 0) revert InvalidNFTPrice();
// Ensure that the price is not stale
if (block.timestamp - lastUpdateTimestamp > MAX_ALLOWED_STALE_TIME) {
revert StaleNFTPrice();
}
return price;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!