Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: medium
Valid

Stale Price Data Usage in LendingPool

Summary

The LendingPool contract is vulnerable to stale NFT price data from the oracle, which can lead to overvalued collateral and risky lending practices.

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol

Vulnerability Details

The getNFTPrice function in the LendingPool contract retrieves NFT prices from the oracle without validating the recency of the data.

function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
if (price == 0) revert InvalidNFTPrice();
return price;
}

The RAACHousePrices oracle's getLatestPrice function returns both the price and the last update timestamp:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/primitives/RAACHousePrices.sol

function getLatestPrice(
uint256 _tokenId
) external view returns (uint256, uint256) {
return (tokenToHousePrice[_tokenId], lastUpdateTimestamp);
}

However, the LendingPool does not check lastUpdateTimestamp, allowing the use of potentially stale prices.

Impact

  1. Stale prices may overvalue NFTs, enabling users to borrow more than the collateral's current worth.

  2. Loans backed by overvalued collateral are more likely to default, jeopardizing the protocol's financial health.

Tools Used

manual review

Recommendations

Introduce a time threshold and then modify the getNFTPrice Function to use the time threshold as a recency check ;

function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
if (price == 0) revert InvalidNFTPrice();
if (block.timestamp - lastUpdateTimestamp > MAX_PRICE_AGE) revert StalePrice();
return price;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.