Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Stale NFT Price Oracle Data Usage Leading to Protocol Insolvency Risk

kobbyeugene

Summary

the getNFTPrice function in the LendingPool uses unvalidated oracle data, enabling users to exploit stale prices for liquidation avoidance and improper borrowing. This fundamentally undermines protocol solvency

Vulnerability Details

function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
if (price == 0) revert InvalidNFTPrice();
return price; // @audit Missing staleness check on lastUpdateTimestamp
}

In the function above, there is lastUpdateTimestamp that can be used to check the freshness of the price received but it is not checked, this leads to the stale prices being used.

Impact

  • Positions remain undercollateralized using outdated

  • Bad debt accumulates in protocol

  • Creates instant underwater positions when prices update

Tools Used

manual review

Recommendations

can implement a stale price check before returning the price:

uint256 maxPriceAge = 1 hours; // depends on how long the protocol wants
if (block.timestamp - lastUpdateTimestamp > maxPriceAge) {
revert PriceDataStale();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!