Missing staleness validation in RAACHousePrices#getLatestPrice()
Summary
The getLatestPrice() does not check if the retrieved price is stale. This allows the protocol to rely on outdated price data, which can be exploited to manipulate borrowing and liquidation in dependent contract - LendingPool.
Vulnerability Details
Attack scenario:
Assume an NFT was last priced at 100 ETH.
The oracle stops updating or is manipulated, and the real estate was disappeared.
A malicious user calls
borrow()inLendingPool, which callsgetLatestPrice()to fetch the outdated 100 ETH price.The attacker borrows far more than allowed, leading to bad debt for the protocol.
As seen above, this is only on example and so many vulnerabilities there. Real estate price is safer than others but does not mean maintain forever and even only their price is changed slower than others. But this means it doesn't ignore their stalenesss.
Impact
Severe risk of protocol bad debt: Borrowers over-borrow against outdated prices, leading to insolvency.
Unfair liquidations: Attackers trigger liquidations based on outdated low prices.
If the protocol loses funds due to incorrect price validation, users will not trust the lending system.
Tools Used
manual
Recommendations
To prevent outdated price exploitation, add a staleness check before returning the price.
At least, after a few seconds of lastUpdated, the price can be believable
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.