Submission Details
Severity:
Misleading Price Update Timestamp
Summary
setHousePrice function leads to price missinterpretation since one updated item will say all other prices were also updated.
Vulnerability Details
The `setHousePrice` function can update any tokenId price but it also sets lastUpdateTimestamp so it gives the impression that all token ids were updated too at that timestamp but only one of them was.
function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
lastUpdateTimestamp = block.timestamp;
emit PriceUpdated(_tokenId, _amount);
}
Impact
users will assume that all of the _tokenId were updated at that lastUpdateTimestamp but it was probably not.
Tools Used
Manual
Recommendations
add a mapping for every single tokenId to track their own time of price update.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.