Core Contracts

Summary

RaacHousePrices uses same lastUpdateTimestamp variable to store the timestamp of the last price update for all NFTIds.
This may lead to LendingPool consuming stale prices: borrowers may borrow against a stale collateral value or be unfairly liquidated.

Vulnerability Details

The admin can interogate the offchain price of a house NFTId by calling BaseChainlinkFunctionsOracle::sendRequest.
When Chainlink process the request the token price is updated and the timestamp of the last price update is updated in setHousePrice function.

The timestamp of the last price update is not stored per NFTId. The lastUpdateTimestamp can't be used as a price freshness indicator.
Consider the following scenario:

• the price of nftId 1 is requested and fulfilled. the lastUpdateTimestamp is updated to timestamp1.

• 1 year passes and the price of nftId2 is requested; lastUpdateTimestamp is set to timestamp2.

• getLatestPrice(nftId 1) is called and (price NftId1, timestamp2) is returned.

Note: there is another issue reported in a separate submission related to the missing stale price check. This submission describe how the erroneously lastUpdateTimestamp update can lead to considering a stale price to be fresh and valid.

Impact

Borrowers may be liquidated unfairly.
Borrowers may borrow more than the collateral value.

Tools Used

Recommendations

Update the setHousePrice and store the timestamp of last price update for each tokenId, similarly to how prices are stored. getLatestPrice function should then retrive the timestamp for the corresponding tokenId.