Stale price issue in `getNFTPrice()`
Summary
The getNFTPrice() function in the LendingPool contract fetches the current price of an NFT from the oracle. However, it does not check whether the retrieved price is stale. This can allow an attacker to exploit outdated prices while borrowing or repaying.
Vulnerability Details
The getNFTPrice() retrieves the latest price of an NFT using priceOracle.getLatestPrice(). It also fetches the lastUpdateTimestamp, but it only reverts when the price is 0, without validating if the price is fresh.
If the oracle fails to update prices for a long time, an attacker could exploit outdated values to manipulate borrowing and repayment transactions. For example:
Impact
If the price is too high, an attacker could borrow more than they should be allowed to.
Tools Used
Recommendations
Implement a stale price check like If lastUpdateTimestamp is older than a predefined period (e.g., 1 hour), the function should revert to prevent outdated price usage.
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.