Core Contracts

Summary

RAACNFT mint is done with crvUSD and house price is returned in USD thus expecting a crvUSD price of 1 USD which won't be the case during depeg.

Vulnerability Details

Looking on crvUSD price history on [coinmarketcap](https://coinmarketcap.com/currencies/crvusd/), we can see that it is rarely worth exactly 1 USD

US average home price is ~$400k. A 0.5% difference would represents a $2k difference

in RAACNFT::mint

price is the amount to be paid in crvToken by the user.

The price is retrieved from raac_hp.tokenToHousePrice(tokenId)

in RAACHousePrices, tokenToHousePrice mapping is set via the setHousePrice function

As mentionned in the comment, house price is in USD not in crvUSD.

The house price is set by the RAACHousePriceOracle which is likely to be in USD making the comment reliable.

At not point in the flow, the USD value is converted to crvUSD, thus the protocol expects a 1-1 exchange rate between USD and crvUSD.

Impact

Users won't pay the real USD value of the houses price but a crvUSD value which can sometimes be beneficial for the users and sometimes no.

The protocol makes the assumption that crvUSD-USD exchange rate is 1-1 and that it will always remain the same, during peak market volatility the exchange rate impact can be even higher especially considering the low marketcap of crvUSD being only around 74m.

The impact is high and the likelihood is high considering the price history where price is rarely 1-1 between crvUSD and USD

Recommendations

Add another oracle for the crvUSD-USD exchange rate and used the exchange rate in house price calculations for users to spend an amount in crvUSD.