Core Contracts

Summary

This report identifies a vulnerability in the lending protocol where Chainlink oracles (RAACPrimeRateOracle and RAACHousePriceOracle) can fail or return invalid data, causing critical functions (e.g., liquidations, adding collateral) to revert. The protocol lacks fallback mechanisms or circuit breakers, risking system downtime and user losses.

Vulnerability Details

The protocol relies on Chainlink oracles for price data in RAACPrimeRateOracle.getLatestPrice and RAACHousePriceOracle.getLatestPrice. If the oracle goes offline or provides incorrect data, these calls revert, halting operations like redeeming collateral, opening/closing positions, adding collateral, claiming escrow, and liquidating positions. No fallback oracles, circuit breakers, or monitoring are implemented to handle such failures.

Affected Contracts:
RAACHousePrices, RAACPrimeRateOracle, RAACHousePriceOracle, LendingPool, StabilityPool

Impact

• System Disruption: Users cannot execute critical actions, leading to prolonged downtime and missed opportunities.

• User Fund Loss: Failed liquidations may leave the system uncollateralized, and users may lose funds if they cannot manage positions during oracle outages. This undermines trust and protocol stability.

Tools Used

Manual

Recommendations

• Implement fallback oracles or a predefined price mechanism for use when the primary oracle fails.

• Add circuit breakers to safely pause operations during oracle issues, with notifications for manual intervention.

• Set up real-time monitoring and alerts for oracle status and price data validity to ensure timely responses.