Stale Oracle Prices for Collateral Valuation, in `LendingPool.sol::getNFTPrice`
Summary
The code fetches the latest price and timestamp from the oracle but only checks if the price is zero. If the oracle hasn't been updated recently, the price could be outdated. For example, if the NFT's market value dropped but the oracle still reports an old, higher price, borrowers could use this inflated value to borrow more than they should. This leads to undercollateralized loans because the collateral isn't worth as much as the protocol thinks.
Vulnerability Details
no stale timestamp check
The code validates that the price is non-zero but does not verify whether the price is recent. Oracles can fail to update due to technical issues
Impact
Undercollateralized Loans:
Example:
NFT market price drops from 100 ETH to 50 ETH, but the oracle still reports 100 ETH (stale).
Borrower uses outdated price to borrow 80 ETH (80% of 100 ETH).
Actual collateral value (50 ETH) is insufficient to cover the loan.
Protocol faces losses if the borrower defaults.
Tools Used
manual review
Recommendations
check for stale price
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.