Core Contracts

Summary

The RAACHousePrices contract is responsible for managing and providing up-to-date house prices via an external oracle. The contract includes a function setOracle that allows the contract owner to update the oracle address. However, the setOracle function does not include a check to ensure that the provided _oracle address is non-zero. This omission creates a risk where the owner might inadvertently set the oracle address to the zero address, effectively disabling the oracle. Without a valid oracle, price updates will fail, leading to stale or incorrect pricing data across the protocol. This can have significant implications, especially in protocols that rely on accurate price feeds for financial operations such as lending, liquidations, or asset valuations.

Vulnerability Details

How It Begins

The vulnerable setOracle function is implemented as follows:

Issues Identified:

• Missing Zero Address Check:
  There is no validation to ensure that _oracle is not the zero address (address(0)). If the zero address is mistakenly provided, the oracle variable will be set to an invalid address.

• Potential Impact on Price Feeds:
  Once the oracle is set to the zero address, subsequent calls that depend on the oracle for fetching price data will fail or return incorrect values. This can result in stale or missing price information, undermining the protocol's financial operations and user confidence.

Consequences

• Disabling Price Updates:
  Setting the oracle to the zero address will halt the update of house prices, causing the system to operate on outdated data. This could lead to incorrect valuations and mispricing of assets.

• Risk of Exploitation:
  Malicious actors might exploit stale price data to manipulate market conditions, potentially impacting lending, liquidations, or other financial operations that rely on accurate price information.

• Undermining Protocol Trust:
  Stakeholders depend on accurate and timely price data. The inability to update prices due to an invalid oracle can erode trust in the protocol and disrupt overall operations.

Proof of Concept

Scenario Walkthrough

1. Oracle Update with Zero Address:
   An owner calls the setOracle function with the zero address:

   setOracle(address(0));

   Since there is no check, the oracle variable is set to address(0).

2. Price Query Failure:
   Later, when the contract attempts to retrieve updated house prices from the oracle, the call fails or returns default/stale data because address(0) is not a valid oracle.

Test Case Example

A Foundry test can demonstrate this vulnerability by deploying the RAACHousePrices contract, calling setOracle with address(0), and verifying that the oracle address is incorrectly set:

Impact

• Price Feed Disruption:
  An oracle set to the zero address will fail to provide updated price data, leading to stale or missing price information.

• Operational Failures:
  Many protocol functions depend on accurate house prices. Without valid price updates, financial operations (such as lending, liquidations, or auctions) may fail or execute incorrectly.

• Exploitation Risk:
  Attackers could leverage stale pricing data to manipulate market conditions, potentially causing economic harm.

• Loss of Stakeholder Confidence:
  Inaccurate or outdated price data undermines trust in the protocol, affecting user participation and overall market stability.

Tools Used

• Manual Review

• Foundry

Recommendations

To prevent this vulnerability, update the setOracle function to include a check that ensures the new oracle address is not the zero address. For example:

Proposed Diff for setOracle