Missing Oracle Price Staleness Check
Summary
The getNFTPrice() function retrieves NFT prices without checking the lastUpdateTimestamp for staleness, risking over-borrowing against outdated valuations. This medium-impact, medium-likelihood vulnerability could undercollateralize the protocol if NFT prices drop, leading to unrecoverable losses during liquidation.
Vulnerability Details
The getNFTPrice() function calls priceOracle.getLatestPrice() but doesn’t ensure the price is recent. Example:
Oracle stalls, reporting 1000 crvUSD (1000e18 WAD) while the real value falls to 100 crvUSD.
Borrower deposits 1 NFT, borrows 800 crvUSD (80% of stale value).
NFT drops to 100e18; liquidation recovers only 100 crvUSD, leaving a 700 crvUSD shortfall.
Stale prices inflate getUserCollateralValue(), exposing the protocol to risk.
Impact
The protocol could lose significant value (e.g., 700 crvUSD per incident) due to undercollateralized loans, a medium-impact outcome. The medium likelihood reflects the realistic chance of oracle delays or failures, especially in volatile NFT markets, threatening financial stability.
Tools Used
Testing Frameworks: Hardhat to simulate stale prices and over-borrowing scenarios.
Recommendations
Add a staleness check in getNFTPrice():
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.