`lastUpdateTimestamp` is returned from oracle but never checked which could lead to stale NFT prices
Summary
The price of the NFT users deposit is used to calculate the total amount of collateral they have deposited. The values of these NFTs are fetched through a Chainlink price oracle. An issue arises because the timestamp of which these prices were last updated is never checked which could lead to a stale price.
Vulnerability Details
A user wishes to withdraw their NFT but they must not be undercollateralized. The price of their assets are fetched through getNFTPrice which will make a call to a Chainlink price oracle and add them all up together. The issue is that the lastUpdateTimestamp is never checked to ensure the price of the NFT isn't stale. A user may be denied a withdrawal or even be wrongfully liquidated because the current price of the NFTs are not up to date.
Impact
Users can be wrongfully liquidated due to outdated prices or prevent withdrawal
Tools Used
Manual Review
Recommendations
Check the last update timestamp
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.