Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Updating the price of one RAAC House in `RAACHousePrices` sets the `lastUpdateTimestamp` for all to block.timestamp

4rdiii

[M-03] Updating the price of one RAAC House in RAACHousePrices sets the lastUpdateTimestamp for all to block.timestamp

Summary

The RAACHousePrices contract contains a critical design flaw where updating the price of one RAAC House affects the last update timestamps of all houses. This creates misleading information about price freshness across different properties, potentially affecting market decisions and trust in the system.

Vulnerability Details

The issue stems from the contract's architecture where a single global timestamp variable tracks updates across all properties:

contract RAACHousePrices is Ownable {
/// @notice Mapping from RAAC tokenId to house price in USD
mapping(uint256 => uint256) public tokenToHousePrice;
address public oracle;
/// @notice Timestamp of the last price update
@> uint256 public lastUpdateTimestamp;
//@audit med, lastUpdateTimestamp is same for every house price, this could mislead the buyers that price of all tokenIds are updated when 1 of them is udpated.
/// @notice Emitted when a price is updated
event PriceUpdated(uint256 tokenId, uint256 newPrice);
/* @notice Allows the owner to set the house price for a token
* @param _tokenId The ID of the RAAC token
* @param _amount The price to set for the house in USD
*
* Updates timestamp for each token individually
*/
function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
@> lastUpdateTimestamp = block.timestamp;
emit PriceUpdated(_tokenId, _amount);
}
}

Impact Analysis

The impact of this vulnerability is that it creates misleading information about price freshness across different properties. When a single house price is updated, the global timestamp makes it appear as though all house prices were recently updated, even though they may be stale. This could lead to buyers making decisions based on incorrect assumptions about price freshness, potentially affecting market dynamics and trust in the system. For example, if a buyer sees that the last update timestamp is recent, they might assume all house prices are current market values, when in reality some prices might be weeks or months old. This could result in buyers overpaying for properties with stale prices or missing good deals on recently updated properties, as they cannot distinguish between fresh and stale prices.

Tools Used

Manual Review

Recommendations

Implement Per-Token Timestamp Tracking

contract RAACHousePrices is Ownable {
mapping(uint256 => uint256) public tokenToHousePrice;
address public oracle;
// Track last update time for each token individually
mapping(uint256 => uint256) public tokenLastUpdateTimestamp;
event PriceUpdated(uint256 tokenId, uint256 newPrice);
function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
tokenLastUpdateTimestamp[_tokenId] = block.timestamp; // Update specific token's timestamp
emit PriceUpdated(_tokenId, _amount);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!