Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Inconsistent Update Timestamp for Token Prices

s0x0mtee

Summary

The contract RAACHousePrices maintains a global lastUpdateTimestamp, which does not track price updates on a per-token basis. The function getLatestPrice returns this global timestamp, leading to inaccurate price update tracking for individual tokens. Although a view function, it will have a severe impact as it is heavily relied on for offchain(frontend) data feed for the real world assets.

Vulnerability Details

The function getLatestPrice states in its documentation that it "returns a token-specific update timestamp," but instead, it returns the global lastUpdateTimestamp. This creates an inconsistency where:

  1. If multiple token prices are updated at different times, the timestamp reflects only the latest update, not the individual token’s update.

  2. Calling getLatestPrice for different tokens may return misleading timestamps.

Affected Code:

function getLatestPrice(
uint256 _tokenId
) external view returns (uint256, uint256) {
return (tokenToHousePrice[_tokenId], lastUpdateTimestamp);
}
function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
lastUpdateTimestamp = block.timestamp; // Updates globally, not per token
emit PriceUpdated(_tokenId, _amount);
}

Impact

  • Misleading timestamps may cause external consumers (such as dApps or off-chain services) to assume a token’s price is more recent than it actually is.

  • Users may make financial decisions based on incorrect price update timestamps.

  • Potential oracle exploits if timestamps are relied upon for price validity.

Tools Used

Manual review.

Recommendations

To ensure each token price update has an accurate timestamp, store timestamps per token:

mapping(uint256 => uint256) public tokenUpdateTimestamp; // New mapping
function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
tokenUpdateTimestamp[_tokenId] = block.timestamp; // Store per-token update time
emit PriceUpdated(_tokenId, _amount);
}
function getLatestPrice(
uint256 _tokenId
) external view returns (uint256, uint256) {
return (tokenToHousePrice[_tokenId], tokenUpdateTimestamp[_tokenId]);
}

This ensures that each token correctly tracks its own last update timestamp.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!