[M-05] Stale Prime Rate Due to Uncalled Internal Function
Description:
The internal function RAACPrimeRateOracle::_processResponse is responsible for updating the lastPrimeRate state variable. However, this function is not invoked by any other function within the contract. As a result, lastPrimeRate will never be updated after initialization (defaulting to 0), rendering getPrimeRate() ineffective and the lending pool's prime rate stale.
Impact:
Critical contract functionality (e.g., interest rate calculations via
lendingPool.setPrimeRate) will rely on an incorrect prime rate (0), leading to protocol-wide miscalculations.External systems or users depending on
getPrimeRate()will receive outdated/invalid data, potentially causing financial losses or misinformed decisions.
Proof of Concept:
The
_processResponsefunction isinternalandoverridebut has no in-contract callers.Without external triggers (e.g., inherited contracts),
lastPrimeRateremains uninitialized (0).getPrimeRate()will persistently return0, andlastUpdateTimestampwill never reflect actual updates.
Recommended Mitigation:
Option 1: Integrate a mechanism to call
_processResponse(e.g., a scheduled keeper or oracle update function).Option 2: Remove
_processResponseand associated logic if the prime rate is obsolete.Additional Suggestion: If the function is intended for inheritance, document its purpose and ensure derived contracts invoke it properly.
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.