The LendingPool contract is vulnerable to stale NFT price data from the oracle, which can lead to overvalued collateral and risky lending practices.
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol
The getNFTPrice
function in the LendingPool contract retrieves NFT prices from the oracle without validating the recency of the data.
The RAACHousePrices oracle's getLatestPrice function returns both the price and the last update timestamp:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/primitives/RAACHousePrices.sol
However, the LendingPool does not check lastUpdateTimestamp, allowing the use of potentially stale prices.
Stale prices may overvalue NFTs, enabling users to borrow more than the collateral's current worth.
Loans backed by overvalued collateral are more likely to default, jeopardizing the protocol's financial health.
manual review
Introduce a time threshold and then modify the getNFTPrice Function to use the time threshold as a recency check ;
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.