Last update timestamp is a single value for all house prices
Summary
In the RAACHousePrices contract when call the setHousePrice we update the lastUpdateTimestamp each time a house price is update. This is incorrect as each house price should have a individual last lastUpdateTimestamp.
Vulnerability Details
Whenever we receive a price update for a house we only store the latest update timestamp for any a house price update. This will be inaccurate if we decide to implement stalness of house price in the LendingPool contract(currently it is missing, but it is recommanded that price oracles are checked for prices stalness).
Impact
Last price update could be inaccurate if we start checking price stalness for houses
Tools Used
Manual Review
Recommendations
Add an extra mapping to the RAACHousePrices contract that stores the last update timestamp for a house token id:
Lead Judging Commences
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.