'getNFTPrice' lack checks for the staleness of NFT prices
Summary
The getNFTPrice function retrieves a price and a timestamp from the oracle but only verifies that the price is nonzero. It fails to check whether the lastUpdateTimestamp indicates that the price is fresh. As a result, stale price data (i.e., outdated information) may be used in critical calculations.
->
Vulnerability Details
The root cause is the omission of a check on the lastUpdateTimestamp received from the oracle. There is no validation to ensure that the returned price data is recent enough (i.e., within an acceptable time window). This oversight means that even if the oracle returns a valid price, if that price was updated a long time ago, the system still treats it as current.
Explain in relevant detail using numbers and creating scenarios demonstrating the impact
Imagine the following scenario:
The maximum acceptable age for a price update is set to 1 hour (3600 seconds).
TokenID 1 had its price updated 2 hours ago, showing a price of $500,000.
However, due to market conditions, the current actual price is now only $300,000.
When a user calls
withdrawNFTorgetUserCollateralValue, the system retrieves the stale $500,000 price because it doesn't check the update timestamp.As a result, the collateral value is overestimated, and the user might be allowed to withdraw or borrow funds based on an inflated NFT valuation.
If the price later corrects to $300,000 loans taken on the basis of the outdated valuation could become undercollateralized, exposing the protocol to a $200,000 gap per NFT in this scenario.
Impact
Without verifying the freshness of the NFT price, the protocol might use outdated valuations for collateral. This can lead to inaccurate collateral assessments in functions like withdrawNFT and getUserCollateralValue, potentially allowing users to withdraw or borrow funds against collateral that is overvalued. The protocol could thus become undercollateralized, leading to increased risk of bad debt and potential losses.
Recommendations
To fix the issue, the getNFTPrice function should verify that the lastUpdateTimestamp is within an acceptable range. For example:
Define a maximum allowable staleness period (e.g., 3600 seconds).
Add a check such as:
if (block.timestamp - lastUpdateTimestamp > MAX_PRICE_AGE) {revert PriceDataStale();}
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.