Incorrect Timestamp Tracking in RAACHousePrices Contract May Lead to Inaccurate Data
Summary
The getLatestPrice function in the RAACHousePrices contract returns a single lastUpdateTimestamp for all tokens, which is not specific to each token. This could lead to inaccurate timestamp data for tokens, especially if one token's price is updated while others are not.
Vulnerability Details
Currently, the contract tracks the timestamp of the last price update globally:
This lastUpdateTimestamp is shared across all token prices. However, when calling getLatestPrice, the function returns this global timestamp instead of tracking individual timestamps for each token. This could result in misleading data because the timestamp returned for all tokens will always reflect the most recent update, even if that update was for a different token. In reality, each token should have its own timestamp to accurately track the last update for that specific token.
Impact
The lastUpdateTimestamp returned for any token could be outdated and not reflect the actual last update for that specific token.
Tools Used
Manual review
Recommendations
Update the contract to store and track the timestamp for each token individually, rather than using a global timestamp. For example:
Lead Judging Commences
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.