Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Lack of Multi-Request Handling in Chainlink Oracle Leads to Data Overwrites and Incorrect Price Updates

cz_moose

Summary

The RAACHousePriceOracle that inherits from BaseChainlinkFunctionsOracle contracts currently does not support multiple simultaneous requests. The system is designed to handle only one request at a time, as evidenced by the use of a single s_lastRequestId variable to track the most recent request.

Since RAACHousePriceOracle relies on lastHouseId to associate oracle responses with specific house price updates, concurrent requests could lead to mismatched or incorrect price updates.

This limitation introduces data inconsistencies and race conditions, potentially causing house prices to be assigned to the wrong properties if multiple requests are made before a response is received.

Vulnerability Details

Affected Contracts

The system currently assumes that only one oracle request will be active at any given time. This is evident in the BaseChainlinkFunctionsOracle contract, where the s_lastRequestId variable is used to track the most recent request. However, if multiple requests are sent before the first one is fulfilled, there is no mechanism to differentiate between responses.

Additionally, the RAACHousePriceOracle contract relies on lastHouseId to associate responses with house price updates. Since this value is overwritten every time a new request is sent, multiple pending requests can cause incorrect price assignments, leading to data inconsistencies.

The lack of per-request tracking means that responses from Chainlink Functions may be misapplied, potentially setting house prices for the wrong properties. This could be exploited if an attacker floods the system with multiple requests, creating unpredictable behavior in how house prices are recorded.

Impact

The absence of support for multiple concurrent oracle requests introduces a critical data integrity issue. Since responses are not linked to their respective requests, incorrect house prices may be recorded, leading to inaccurate valuations. This can result in financial losses for users relying on these prices for lending, borrowing, or investment decisions.

Tools Used

  • Manual review

Recommendations

Store Requests in a Mapping Instead of a Single Variable
Replace s_lastRequestId with a mapping to track multiple requests:

mapping(bytes32 => uint256) private requestToHouseId;

Modify sendRequest to store the house ID against the request ID

s_lastRequestId = _sendRequest(req.encodeCBOR(), subscriptionId, callbackGasLimit, donId);
requestToHouseId[s_lastRequestId] = args[0].stringToUint();

Verify Request ID in fulfillRequest

function fulfillRequest(bytes32 requestId, bytes memory response, bytes memory err) internal override {
require(requestToHouseId[requestId] != 0, "Unknown request ID"); // Check if the request exists
if (err.length == 0) {
if (response.length == 0) {
revert FulfillmentFailed();
}
uint256 houseId = requestToHouseId[requestId];
delete requestToHouseId[requestId]; // Clean up
_processResponse(houseId, response);
}
}

Update _processResponse to use the correct house ID:

function _processResponse(uint256 houseId, bytes memory response) internal {
uint256 price = abi.decode(response, (uint256));
housePrices.setHousePrice(houseId, price);
emit HousePriceUpdated(houseId, price);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.