House Price Oracle Update Problem
Summary
The current implementation of the house price oracle allows for potential inconsistencies when updating house prices. The lastHouseId is updated with each new request, regardless of whether the previous request has been fulfilled. This can lead to incorrect price updates for house IDs, especially when multiple requests are made in quick succession.
Vulnerability Details
The lastHouseId is updated with every new request without checking if the previous request has been fulfilled. If owner send multiple reqeusts to update different ids before previous requests filled, pending request will update only last house. Also there is no check if requestId and house id match. So the last fulfilled request which could be
Since it is not known when the chainlink router will complete these requests, if multiple prices need to be updated immediately, this will not be possible.
Example Scenario
-
Owner send requests:
h1 ->req1 , h2->req2, h3->req3
lastHouseIdis set to h3.
-
Requests fulfilled:
Requests are not filled in order .
req1-> updates
lastHouseId[3]= price1req3-> updates
lastHouseId[3]= price3req2-> updates
lastHouseId[3]= price2
House1 , 2 prices not updated and House 3 is updated with different price.
Impact
If multiple requests are made, the price for a previous house ID might be incorrectly updated when the request is fulfilled.
Tools Used
Manual
Recommendations
Maintain a mapping of pending requests to ensure that each house ID is updated only when its specific request is fulfilled.
Lead Judging Commences
Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs
Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.