Stale Data in Oracle Updates leads to Incorrect Valuations
Summary
The RAACPrimeRateOracle and RAACHousePriceOracle contracts do not enforce data freshness checks, risking the use of stale oracle data for critical financial calculations, leading to incorrect valuations.
Vulnerability Details
Neither contract validates the age of oracle data before using it. RAACPrimeRateOracle tracks lastUpdateTimestamp, but LendingPool does not check it, and RAACHousePriceOracle lacks timestamp tracking, allowing stale prime rates or house prices to be used, potentially from Chainlink or off-chain sources.
Impact
Stale data could lead to incorrect interest rates or collateral valuations, causing undercollateralized loans, unfair liquidations, or mispriced assets, affecting protocol revenue and user fairness.
Tools Used
Manual
Recommendations
Add a MAX_STALE_PERIOD check in LendingPool before using oracle data:
Implement timestamp tracking in RAACHousePriceOracle and validate freshness.
Use Chainlink’s heartbeat or aggregation features to ensure timely updates.
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.