Summary

The function getLatestPrice() in RAACHousePrices returns a single last update timestamp for the entire NFT collection, instead of tracking timestamps per individual token ID. This introduces a flaw where some NFTs may have outdated prices, but calling getLatestPrice() will return a newer timestamp if any NFT in the collection was updated.

This can lead to incorrect price assumptions, even when implementing a staleness check.

Vulnerability details

• Current Implementation:

  • getLatestPrice() tracks only one global timestamp for the entire NFT collection.

  • If any NFT in the collection gets an updated price, the timestamp updates.

• The Issue:

  • If some NFTs have new prices and others do not, calling getLatestPrice() will return a recent timestamp, even for stale NFTs.

  • A system relying on getLatestPrice() to check price freshness may wrongly assume an NFT's price is up to date, when it could still be outdated.

• Example Exploit Scenario:

  1. A user wants to withdraw or sell an NFT and checks if the price is stale.

  2. getLatestPrice() returns a recent timestamp, so they assume the price is fresh.

  3. However, their specific NFT has not been updated, leading to an incorrect price valuation.

  4. They withdraw or trade using an old price, potentially exploiting the system.

Impact

Severity: Medium

• Incorrect pricing assumptions can lead to wrong valuations, unfair liquidations, and financial exploitation.

• Users could sell, withdraw, or use stale valuations without realizing the price is outdated for their specific NFT.

• If governance decisions, liquidations, or borrowing rely on these prices, the entire protocol's stability is at risk.

Tools used

• Manual code review

Prerequisites

For this to be an issue, the price staleness check for token house prices should first be implemented.

Recommendations

1. In the RAACHousePrices contract, add a HousePrices struct with two values

2. In the setHousePrice function, the timestamp will be recorded for the specific token id.

3. In the getLatestPrice function, the timestamp for the specific token id will be returned.

   solidity

   ​

   struct HousePrice {

   uint256 price;

   uint256 timestamp;

   }

   ​

   ​

   ​

   ​

   ​

   function setHousePrice(uint256 _tokenId, uint256 _amount) external onlyOracle {

   tokenToHousePrice[_tokenId] = HousePrice(_amount, block.timestamp);

   lastUpdateTimestamp = block.timestamp;

   emit PriceUpdated(_tokenId, _amount);

   }

   ​

   ​

   function getLatestPrice(uint256 _tokenId) external view returns (uint256, uint256) {

   return (tokenToHousePrice[_tokenId].price, tokenToHousePrice[_tokenId].timestamp);

   }

   ​

   ​