Inconsistent Timestamp Tracking in `RAACHousePrices`
Summary
The RAACHousePrices contract has a design flaw where the lastUpdateTimestamp variable tracks a single timestamp for all token price updates, rather than storing a separate timestamp for each _tokenId. This means that querying getLatestPrice does not return an accurate update time for individual token prices.
Vulnerability Details
Source
Code Snippet
Issue Explanation
-
The
lastUpdateTimestampvariable is a single state variable used for all token updates. -
When
setHousePriceis called for any_tokenId,lastUpdateTimestampis updated globally, meaning that all token IDs appear to have the same last update time. -
This can lead to inaccurate data representation when fetching the price for a specific
_tokenId.
Impact
-
Users querying
getLatestPricecannot determine the actual last update time of a specific token price. -
This could lead to incorrect assumptions about the freshness of pricing data.
-
External systems relying on accurate timestamps for price tracking may be misled.
Tools Used
Manual code review
Recommendation
Refactor the contract to track timestamps on a per-token basis by using a struct:
This ensures that each _tokenId has an independent timestamp for when its price was last updated.
Lead Judging Commences
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.