The `LendingPool::getNFTPrice()` function does not validate the timestamp of price updates, which may lead to the use of stale prices.
Summary
The LendingPool::getNFTPrice() function does not validate the timestamp of price updates, which may lead to the use of stale prices.
Vulnerability Details
The getNFTPrice() function retrieves both the latest price and its corresponding update timestamp from the price oracle. However, it does not verify whether the retrieved price is sufficiently recent. As a result, the function may return outdated prices, potentially leading to incorrect calculations or financial discrepancies.
Impact
Without a proper time validation mechanism, the function may return outdated NFT prices, which could lead to incorrect asset valuations, unfair liquidations, or improper risk assessments in the lending protocol.
Tools Used
Manual Review
Recommendations
Introduce a time validation check to ensure the retrieved price is recent before returning it. For example:
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.