Core Contracts

Summary

In the RAAChousePricing contract, the lastUpdateTimestamp is updated globally whenever the setHousePrice function is called, regardless of which token ID is updated. This leads to a situation where multiple token IDs share the same timestamp, causing stale or incorrect data to be returned when fetching the price of a specific token ID. The lastUpdateTimestamp should be updated per token ID to ensure accurate, individual price updates and prevent the potential use of outdated or wrong data.

Vulnerability Details

• Issue:

  • In the setHousePrice function, the lastUpdateTimestamp is globally set to block.timestamp whenever the price of any token ID is updated. As a result, if multiple token IDs are updated at different times, they will share the same lastUpdateTimestamp.

  • When a user calls the getLatestPrice function for a token ID that hasn't been updated recently, the timestamp of another token's update is returned, leading to stale or incorrect data.

• Affected Code:

  • getLatestPrice Function:

    function getLatestPrice(uint256 _tokenId) external view returns (uint256, uint256) {

    return (tokenToHousePrice[_tokenId], lastUpdateTimestamp);

    }

  • setHousePrice Function:

    function setHousePrice(uint256 _tokenId, uint256 _amount) external onlyOracle {

    tokenToHousePrice[_tokenId] = _amount;

    lastUpdateTimestamp = block.timestamp; // Updates the global timestamp

    emit PriceUpdated(_tokenId, _amount);

    }

• Key Issue:
  The lastUpdateTimestamp should be specific to each token ID, not global. Currently, it is updated globally, causing a mismatch between the lastUpdateTimestamp and the actual update times for individual tokens.

Impact

• Stale or Incorrect Data:
  Users may fetch stale or incorrect data when querying the price of a token ID that was not recently updated. The lastUpdateTimestamp for all tokens will reflect the most recent update, even if the specific token in question was not updated at that time.

• User Confusion:
  This issue can lead to users believing they are retrieving the most recent price information, when in fact, they are seeing outdated or irrelevant data.

Tools Used

• Manual Code Review

Recommendations

1. Store Last Update Timestamp Per Token:

   • Modify the contract to store a lastUpdateTimestamp for each token ID individually. This way, each token ID will have its own timestamp reflecting the last update for that specific token.

   • Updated setHousePrice function:

     function setHousePrice(uint256 _tokenId, uint256 _amount) external onlyOracle {

     tokenToHousePrice[_tokenId] = _amount;

     tokenLastUpdateTimestamp[_tokenId] = block.timestamp; // Use per token timestamp

     emit PriceUpdated(_tokenId, _amount);

     }

   • Create a mapping for tokenLastUpdateTimestamp:

     mapping(uint256 => uint256) public tokenLastUpdateTimestamp;

2. Update getLatestPrice to Return the Correct Timestamp:

   • Modify the getLatestPrice function to return the correct lastUpdateTimestamp for the requested token ID:

     function getLatestPrice(uint256 _tokenId) external view returns (uint256, uint256) {

     return (tokenToHousePrice[_tokenId], tokenLastUpdateTimestamp[_tokenId]);

     }