Core Contracts

Summary

The RAAChousePricing contract incorrectly updates the lastUpdateTimestamp globally whenever the setHousePrice function is called, regardless of which token ID is modified. This results in multiple tokens sharing the same timestamp, leading to outdated or inaccurate price data being returned when querying specific token prices. To ensure accurate tracking, each token should maintain its own update timestamp instead of relying on a global value.

Vulnerability Details

• Issue:

  • The lastUpdateTimestamp is updated for all token IDs whenever any single token’s price is modified. This means that different tokens can appear to have been updated at the same time, even if only one was modified.

  • When a user queries the price of a token that hasn’t been updated recently, the timestamp from another token’s update is returned, leading to misleading data.

• Affected Code:

  • getLatestPrice Function:

    function getLatestPrice(uint256 _tokenId) external view returns (uint256, uint256) {

    return (tokenToHousePrice[_tokenId], lastUpdateTimestamp);

    }

    ​

  • setHousePrice Function:

    function setHousePrice(uint256 _tokenId, uint256 _amount) external onlyOracle {

    tokenToHousePrice[_tokenId] = _amount;

    lastUpdateTimestamp = block.timestamp; // Incorrect: Updates timestamp for all tokens

    emit PriceUpdated(_tokenId, _amount);

    }

    ​

• Root Cause:
  The contract lacks a per-token timestamp tracking mechanism. Instead, a single lastUpdateTimestamp applies to all tokens, which can mislead users about the freshness of individual token price updates.

Impact

• Inaccurate Data Retrieval:
  Users might receive outdated price information for a token while believing they are viewing the latest data.

• User Misinterpretation:
  The shared timestamp can cause confusion, as users may assume all tokens were updated simultaneously, even when only one was modified.

• Financial Risks:
  If external systems rely on this timestamp for pricing or trading, outdated data could result in poor financial decisions or incorrect valuations.

Tools Used

• Manual Code Review

Recommendations

1. Implement Per-Token Timestamp Storage:

   • Modify the contract to track a separate lastUpdateTimestamp for each token to ensure accurate individual update records.

   • Updated setHousePrice function:

     function setHousePrice(uint256 _tokenId, uint256 _amount) external onlyOracle {

     tokenToHousePrice[_tokenId] = _amount;

     tokenLastUpdateTimestamp[_tokenId] = block.timestamp; // Correct: Individual token timestamp

     emit PriceUpdated(_tokenId, _amount);

     }

     ​

   • Introduce a mapping for per-token timestamps:

     mapping(uint256 => uint256) public tokenLastUpdateTimestamp;

     ​

2. Modify getLatestPrice to Return Token-Specific Timestamps:

   • Ensure the function retrieves the correct timestamp for the requested token ID:

     function getLatestPrice(uint256 _tokenId) external view returns (uint256, uint256) {

     return (tokenToHousePrice[_tokenId], tokenLastUpdateTimestamp[_tokenId]);

     }

     ​