Core Contracts

Summary

RAACHousePriceOracle rely on last value state variable to set a house price when it received a response from a request which could assign the wrong price response to a house.

Vulnerability Details

In RAACHousePriceOracle.sol , the _beforeFulfillfunction update the lastHouseId state variable which is later used in the _processResponsefunction to set a house price with the price response received. This is problematic, if there are multiple ongoing oracle request at the same time as there is no guarantee that a request will be fulfilled immediately right after it is requested.

Below is a snippet of the _beforeFulFilland _processResponse functions:

Consider a scenario where 2 requests for house prices are sent in quick succession:

1. Request 1 is sent for houseId = 101. _beforeFulfill updates lastHouseId to 101.

2. Request 2 is sent for houseId = 102. _beforeFulfill updates lastHouseId to 102.

3. The oracle fulfills Request 2, houseId = 102price is set to price from Request 2

4. The oracle fulfills Request 1, houseId = 102price is set to price from Request 1

In this case, the houseId 101 price does not change while houseId 102 price is updated to the new houseId 101 price from Request 1.

Impact

Wrong prices can assigned to houses which would then be undervalued or overvalued. This houses can determine the total collateral of users which in turn determines the health factor of users in the lending pool. This could cause denial of liquidation or unexpected liquidation for users.

Tools Used

Manual review

Recommendations

Make use of requestId parameter from Chainlink Functions to determine the response of a request