Stale NFT Price Oracle Data Allows Manipulation of Collateral Value
Summary
The LendingPool::getNFTPrice function retrieves NFT prices from the oracle but fails to validate the lastUpdateTimestamp returned by the oracle. This allows stale price data to be used when calculating user collateral value, which is critical for determining borrowing capacity and liquidation conditions.
The issue affects multiple key functions that rely on NFT price data:
calculateHealthFactorgetUserCollateralValueborrowwithdrawNFT
Impact
An attacker could exploit this by:
Waiting for favorable stale prices that overvalue their NFT collateral
Using the inflated collateral value to borrow more than they should be allowed
Defaulting on the loan, leaving the protocol with bad debt
Recommendations
Add a maximum staleness check for oracle prices:
Consider also:
Adding a configurable
MAX_PRICE_AGEparameterImplementing a grace period for price updates before blocking operations
Adding emergency pause functionality if oracle fails to update prices
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.