lastUpdateTimestamp should be set for individual nft's not at global level.
Vulnerability Details
Inside RAACHousePrices contract there is a state variable lastUpdateTimestamp which is updated whenever price is updated for a particular houseNFT.
This creates a problem when we try to fetch price for a particular token, as along with the price it will also return lastUpdateTimestamp, now contract calling this function will think this timestamp is for that particular token but in reality it is not.
Impact
In LendingPool::getNFTPrice we are calling RAACHousePrices::getLatestPrice which returns lastUpdateTimestamp, now this timestamp was updated for some other token, so for our tokenId it is returning stalePrice.
This stale price will be used while withdrawing nft and healthFactor of the user, causing unfair liquidation.
Tools Used
Manual Review
Recommendations
lastUpdateTimestamp should be set at individual nft level not at the global level.
Lead Judging Commences
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.