Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Oracle Price Retrieval Vulnerability in RAACNFT

0xblackadam

Description

The getHousePrice function in RAACNFT contract incorrectly uses tokenToHousePrice instead of getLatestPrice from the oracle contract. This implementation has three critical issues:

Returns 0 if oracle address hasn't been set
Returns 0 if price hasn't been set
Returns potentially stale prices without timestamp validation

Current implementation:

function getHousePrice(uint256 _tokenId) public view override returns(uint256) {

return raac_hp.tokenToHousePrice(_tokenId);

}

Impact

Users can receive incorrect or stale price information
Zero prices returned without error indication
No way to distinguish between unset oracle, unset price, or actual zero price
Downstream contracts relying on this function could make incorrect financial decisions
Potential for economic exploits if price staleness isn't checked

Fix Recommendation

Use getLatestPrice and handle timestamp:

function getHousePrice(uint256 _tokenId) public view override returns(uint256, uint256) {

// Get price and timestamp

(uint256 price, uint256 timestamp) = raac_hp.getLatestPrice(_tokenId);

// Validate oracle is set

if (address(raac_hp) == address(0)) revert RAACNFT__OracleNotSet();

// Check for zero price

if (price == 0) revert RAACNFT__PriceNotSet();

// Check staleness

uint256 PRICE_STALENESS_THRESHOLD = 1 days;

if (block.timestamp - timestamp > PRICE_STALENESS_THRESHOLD) {

revert RAACNFT__StalePrice();

}

return (price, timestamp);

}

Tools Used

Manual code review
Foundry testing framework
Static analysis

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.