Missing timestamp validation in `RAACHousePrices`
Summary
The RAACHousePrices contract lacks proper timestamp validation for house prices, allowing stale prices to be used in critical operations like lending and borrowing. The contract returns prices without indicating their age or freshness, which could lead to the protocol operating on outdated price data.
Vulnerability Details
Theere is no validation of price age before use:
Example attack scenario:
-
Day 1 - price updated:
tokenToHousePrice[1] = 500_000 * 10**18; ($500k)
lastUpdateTimestamp = 1708444800; (Feb 20, 2024)
-
Day 30 - oracle stops working:
price still usable despite being 30 days old
getLatestPrice[1] returns (500_000 * 10**18, 1708444800)
-
Attacker can:
wait for price to become stale
take out loan when market price has dropped
profit from price difference
Impact
High: Risk of protocol insolvency if many loans use outdated valuations.
Recommendations
Consider implementing price staleness checks:
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.