Incorrect last update timestamp of house price for nft
Summary
Function getLatestPrice() in RAACHousePrices contract return incorrect value of last update timestamp. It does not return timestamp of last updating price of this nft. It just return timestamp of last executing function setHousePrice().
Vulnerability Details
When oracle call setHousePrice(), it set current timestamp value to lastUpdateTimestamp variable.
But, it price could be updated for other tokenId.
Example:
We have 2 tokenid (id 1 and id 2). Their price has been updated in timestamp 1740000000. After 6 months, oracel call setHousePrice(1, 123000). It updates price for tokenId 1, but not for tokenId 2.
The problem is, that price for token id 2 has not updated yet. And if user call getLatestPrice(2), it return old price and timestamp 1740000000. User will think that price for tokenId 2 is fresh and has been updated recently.
Impact
User will thing that timestamp, which return in getLatestPrice(), means than exactly price for specified tokenid has been updated in this timestamp. But it is not true.
Tools Used
Manual review
Recommendations
Update timestamp separately for each token id.
Lead Judging Commences
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.