Global Timestamp Mismanagement (Root Cause: Shared Timestamp Variable + Impact: Misleading Price Update Information)
Vulnerability Details
The RAACHousePrices contract uses a single global variable lastUpdateTimestamp to track the last price update time for all tokens. This design flaw causes the timestamp to update for every token price change, regardless of which specific token was modified. As a result, the function getLatestPrice returns the same timestamp for all tokens, misleading users into believing that all token prices were updated simultaneously.
Impact
Misleading Information: Users querying the price of tokens that have not been recently updated may receive a timestamp suggesting otherwise.
Operational Risk: DApps or financial applications relying on accurate price updates could make incorrect decisions based on outdated data, leading to potential financial loss.
PoC
The oracle updates the price of token
#1, settinglastUpdateTimestamptoT1.No updates are made to token
#2.A user queries
getLatestPrice(2)and receives the price along with the timestampT1, giving the false impression that token#2's price was updated atT1.
Tools Used
Manual
Recommendations
Implement a per-token timestamp mapping to track the last update time of each token individually. This ensures that getLatestPrice returns accurate and token-specific timestamps.
Lead Judging Commences
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.