Stale NFT Price Risk in `LendingPool::getNFTPrice`
Summary
The LendingPool::getNFTPrice function retrieves the price of an NFT from an oracle but does not verify whether the price is stale. If the oracle's lastUpdateTimestamp is outdated, the function may return an old price, leading to incorrect valuations and potential exploitation in lending operations.
Vulnerability Details
https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L591-L595
The function fetches the latest price and its last update timestamp. However, it does not check whether lastUpdateTimestamp is sufficiently recent. This means that if the oracle stops updating or experiences delays, the returned price may be outdated. A borrower could use an old, inflated price to receive more collateral than they should, or a liquidator might rely on outdated pricing, leading to unfair liquidations.
Impact
Users could manipulate lending terms based on stale prices.
Tools Used
Manual review
Recommendations
Introduce a freshness check by comparing lastUpdateTimestamp against block.timestamp with an acceptable time threshold (PRICE_STALE_THRESHOLD):
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.