Submission Details
Severity:
no stale price check in getNFT function of LendingPool
Summary
Vulnerability Details
The getNFTPrice function in the lending pool contract retrieves NFT prices without validating the freshness of the data. This allows stale prices (e.g., outdated by hours/days) to be used for critical operations like loan issuance and liquidations.
function getNFTPrice(uint256 tokenId) public view returns (uint256) {
//@audit no stale price check.
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
if (price == 0) revert InvalidNFTPrice();
return price;
}
Impact
Undercollateralized Loans: Stale high prices enable borrowers to over-leverage against depreciated collateral.
Unjust Liquidations: Stale low prices trigger incorrect liquidations of solvent positions.
Protocol Insolvency Risk: Mismatch between real NFT values and protocol-reported values.
Tools Used
Recommendations
Add timestamp validation
++ require(block.timestamp - lastUpdateTimestamp < STALENESS_THRESHOLD, "Stale price"); return data.price;
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.