Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: low
Valid

Single Global Timestamp for All NFTs in the Oracle

Summary

The RAACHousePrices oracle maintains a single global lastUpdateTimestamp that applies to all NFTs. This global timestamp is updated whenever any NFT's price is updated. As a result, the lastUpdateTimestamp does not accurately reflect the update time of individual NFTs. This can be misleading because the LendingPool might assume that all NFT prices were updated at the same time, even though only some have been updated.

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/primitives/RAACHousePrices.sol

Vulnerability Details

problematic implementation

uint256 public lastUpdateTimestamp; // Shared across all tokens
// existing code ...
function setHousePrice(uint256 _tokenId, uint256 _amount) external {
tokenToHousePrice[_tokenId] = _amount;
lastUpdateTimestamp = block.timestamp; // <-- Overwritten globally
}

Every time a new house Price is set , it overwrites lastUpdateTimestamp of all the other Houses .

Impact

  1. Borrowers can over-leverage using NFTs with outdated prices, as collateral values are artificially inflated.

  2. Bad debt to protocol as loans exceed the true value of collateral.

Tools Used

manual review

Recommendations

create a mapping that tracks the lastUpdateTimestamp of each individual token and use it as an alternative to the single global timestamp ;

mapping(uint256 => uint256) public tokenToLastUpdateTimestamp; // Track per NFT
function setHousePrice(uint256 _tokenId, uint256 _amount) external {
tokenToHousePrice[_tokenId] = _amount;
tokenToLastUpdateTimestamp[_tokenId] = block.timestamp; // Update per-token timestamp
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.