Core Contracts

Summary

The RAACHousePrices contract stores house prices in USD but RAACNFT accepts payments in crvUSD without price conversion, leading to incorrect payment amounts when crvUSD deviates from the USD peg.

Vulnerability Details

The core issue stems from a mismatch between price denomination and payment token:

1. In RAACHousePrices::setHousePrice(), prices are set in USD by the oracle

2. In RAACNFT::mint(), these USD prices are treated as if they were crvUSD amounts

3. No price conversion is performed between USD and crvUSD

Notice that in the NATSPEC of the RAACHousePrices::setHousePrice() function it is clearly stated that the price is set in USD.

This creates a vulnerability when crvUSD deviates from its USD peg.

Proof of Concept

1. Oracle sets house price to 1,000,000 USD for tokenId 1

2. crvUSD depegs to 0.998 USD

3. User calls RAACNFT::mint with 1,000,000 crvUSD

4. Transaction succeeds but user only pays 998,000 USD worth of value

5. Protocol loses 2,000 USD of value

The issue works in reverse too - if crvUSD trades above 1 USD, users overpay for properties.

Impact

The impact of this issue is that the protocol or the users will lose value when crvUSD deviates from the USD peg.

Recommendations

Option 1: Add Price Oracle for crvUSD/USD

Use the crvUSD/USD oracle to get the price of the house in crvUSD, and then compare it to the amount of crvUSD being sent.

Option 2: Store Prices in crvUSD

Update the oracle to provide prices directly in crvUSD rather than USD. This removes the need for conversion but requires the oracle to handle the conversion off-chain.