Wrong price for house could be sent if responses are not recieved in order from Oracle
Summary
RAACHousePriceOracle sends a request to the DON when it wishes to receive that latest price of a house from the Oracle. The house id is set in _beforeFulfill to keep track of which house price will be sent on the next response received. An issue arises because there is no guarantee the next response received will be for that house id.
Vulnerability Details
A request is made to the DON for the price of a house. The house id is passed in as calldata which is set in _beforeFulfill and will be set on the next response through _processResponse.
The problem is that there is no guarantee the next response will include the response for the corresponding house ID set. Take the following example:
Request A is sent for House ID 1 with
sendRequest()_beforeFulfill()setslastHouseId = 1Request B is sent for House ID 2
_beforeFulfill()setslastHouseId = 2Response for Request A arrives first
_processResponse()useslastHouseId(which is now 2) to set the priceThe price from Request A (meant for House 1) gets incorrectly set for House 2
Impact
Incorrect price is set for the houses
Tools Used
Manual Review
Recommendations
Pass the house id along with the price in the response
Lead Judging Commences
Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs
Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.