RAACPrimeRateOracle integration lacks any checks on data integrity
Description
RAACPrimeRateOracle is supposed to deliver reliable data for adjustments within the LendingPool but is lacking any sanity checks for the price, when the price was last updated, or if the oracle is even still working at all.
Vulnerability Details
RAACPrimeRateOracle::_processResponse
Above function and the function calling it, lack any checks for the datastreams heartbeat and validity of the response. Furthermore the function updates lastUpdateTimestamp but this variable is nowhere used. I suppose it was intended as a variable being checked within calling functions, but I could not find it anywhere.
Impact
The Prime Rate within the system manages the interest environment for the Lending Pool, temporary inaccurate values could lead to undesired interest movements. Since no funds are directly at risk I would rate the impact as a Medium (after all, 0% interest for borrowers would cost the protocol something), Likelihood as a Low to Medium which results in a total severity of Medium.
Tools Used
Manual Review
Recommended Mitigation
Implement sanity checks for the price feed, at least some sort of checks for the staleness of the data.
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.