Function mint does not check how long ago was the price updated
Summary
Function mint() in RAACNFT contract request tokenId price from raac_hp contract, but does not check how long ago price has been updated. And use returned price.
Vulnerability Details
If house price has not updated for a long time, function mint() use it anyway. But price could be incorrect and old.
Function does not check how long agoe price has been updated. Maybe a very long time ago. Oracle could be broken.
Its possible situation, because its only 1. Yes, project use chainlink. but only for call for custom data provider.
Even, project has used price from chainlink. the best practice is check time of last price update time.
Impact
If the orcacle has not update tokenId price for a long period, function mint will continue use old price. House at this moment could has higher price, than before. So. user have to pay smaller amount of tokens for mint nft, than it needed.
Tools Used
Manual review
Recommendations
Check price updated time
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.