Core Contracts

Summary

The vulnerability occurs because the getNFTPrice function only verifies that the retrieved price is non-zero, without checking if the associated timestamp is recent. This oversight means that outdated price data could be used for collateral valuation, potentially leading to loans based on inflated collateral values or causing unfair liquidations. A mitigation strategy is to enforce a maximum allowable age for the price data, such as rejecting prices older than one day.

Vulnerability Details

Lack of Recency Check:
The getNFTPrice function retrieves both the NFT's price and the timestamp of its last update from the oracle, but it only checks that the price is non-zero. It fails to verify whether the retrieved price is recent.

Impact

• Misvalued Collateral:
  Outdated price data can lead to incorrect assessments of an NFT's value, resulting in collateral being overvalued or undervalued.

• Loan Overextension:
  Borrowers might secure loans exceeding the true value of their collateral if stale, inflated prices are used, increasing the risk of defaults.

• Unfair Liquidations:
  Users may face unwarranted liquidations if the NFT price has declined but the protocol still relies on an outdated, higher valuation.

• Economic Exploitation:
  In volatile markets, adversaries might manipulate price updates or delay them to exploit the system, potentially causing significant financial losses for the protocol and its users.

Tools Used

manual review

Recommendations

Implement a Recency Check:
Modify the getNFTPrice function to enforce a maximum allowable age for price data. Introduce a constant (e.g., MAX_PRICE_AGE = 1 days) and revert the transaction if the price timestamp is older than this threshold.

• Enhance Oracle Reliability:
  Consider integrating multiple oracle sources or a time-weighted average price (TWAP) mechanism to mitigate risks associated with stale or manipulated price data.

• Regular Oracle Updates:
  Ensure that the oracle is updated frequently enough to reflect current market conditions. Implement monitoring and alerting systems to detect when updates are delayed.

• Fallback Mechanisms:
  Develop a fallback mechanism that either uses an alternative oracle or temporarily pauses lending activities if the price data becomes unreliable or outdated.

function getNFTPrice(uint256 tokenId) public view returns (uint256 price) { (price, uint256 lastUpdateTimestamp) = getLatestPrice(tokenId); require(price != 0, "InvalidNFTPrice: Price is zero"); require(block.timestamp - lastUpdateTimestamp <= MAX\_PRICE\_AGE, "InvalidNFTPrice: Price data is too old"); return price; }