Missing Stale Price Check
Summary
In the LendingPool.sol contract the getNFTPrice function is missing a stale price check, which can lead to inaccurate valuations of NFTs.
Vulnerability Details
The vulnerability arises from the absence of a stale price check in the getNFTPrice function. Without this check, the function may return outdated prices for NFTs, which can lead to incorrect valuations. This is particularly problematic in volatile markets where NFT prices can change rapidly. Using stale prices can result in over- or under-collateralization, affecting the overall stability and fairness of the lending protocol.
Impact
If the getNFTPrice function returns stale prices, users may be able to borrow more than they should be allowed to, based on outdated high valuations. Conversely, users may be unfairly liquidated if the price used is outdated and lower than the current market value. This can lead to financial losses for both the protocol and its users, undermining trust in the system.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, implement a stale price check in the getNFTPrice function. This can be done by verifying the timestamp of the price data and ensuring it is within an acceptable range. If the price data is too old, the function should revert or fetch a new price.
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.