Summary

The withdrawNFT function in LendingPool (line 302) retrieves NFT pricing using getNFTPrice(), but this function returns the last stored price in RAACHousePrices instead of fetching the current price. There is no staleness check, meaning that if the price has not been updated for a long time, incorrect valuation data may be used, leading to potential financial risks.

Vulnerability details

• The function getNFTPrice() retrieves the last stored price from the system by calling RAACHousePrices' getLatestPrice.

• This function will return an entry in the tokenToHousePrice mapping with a uint256 price, and the last timestamp of the price update.

• However, there is no verification that this price is up to date, meaning:

  • If the price has not been updated in a long time, the function will still return an outdated value.

  • If oracle updates fail or pause, the system may continue using an old price without detection.

• This could potentially result in unfair liquidations or unintended financial losses for users.

Impact

Severity: Medium

• Users may withdraw NFTs at an incorrect valuation, potentially exploiting outdated prices.

• If the price is too high, users may withdraw collateral at an inflated value, harming the protocol.

• If the price is too low, users may be wrongly liquidated, leading to a loss of their property.

Tools used

• Manual code review

Recommendations

1. Fetch the latest price from the oracle instead of relying on stored values. Additionally, implement a staleness check after receiving a response from the oracle

   solidity

   ​

   uint256 (currentPrice, lastPriceUpdateTime) = oracle.getLatestPrice(nft);

   require(block.timestamp - lastPriceUpdateTime <= MAX_PRICE_AGE, "Price data is stale");

   ​

   • MAX_PRICE_AGE should be set to a reasonable threshold according to the protocol's specific requirements (e.g., 1 hour).