Submission Details
Severity:
Misleading Timestamp in Price Fetch
Summary
getLatestPrice returns a global timestamp, misleading users about individual token price updates.
Vulnerability Details
This will return the wrong and outdated price for all the houses tokens except for one since lastUpdatedTimestamp updates globally when only one house price is changed.
function getLatestPrice(
uint256 _tokenId
) external view returns (uint256, uint256) {
return (tokenToHousePrice[_tokenId], lastUpdateTimestamp);
}
Impact
The user might think the price of that token id was updated correctly but another token was updated instead and the timestamp shows all items's price were updated.
Tools Used
manual
Recommendations
create and return the correct mapping for each token price and when each one was updated correctly.
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.