Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

getNFTPrice didn't check if the price is stale or not

0xbc000

Summary

The getNFTPrice function is intended to retrieve the NFT price from the oracle and ensure that the price data is fresh. However, while the comment indicates that it “checks if the price is stale,” the function only verifies that the price is non-zero. It does not check the lastUpdateTimestamp, potentially allowing outdated price data to be used.

Vulnerability Details

In file `contracts/core/pools/LendingPool/LendingPool.sol` function getNFTPrice it didn't check the pricce is stale or not as in the comments.

This indicates the following issues

  • Missing Freshness Check:

The function retrieves both the price and lastUpdateTimestamp from the oracle. However, it only checks if the price is non-zero and does not evaluate the lastUpdateTimestamp to determine whether the price data is stale.

  • Inconsistent Documentation:

The comment above the function claims that it performs a staleness check, which misleads developers and auditors regarding its actual behavior.

  • Potential Oracle Data Issues:

Without validating the recency of the data, stale price information might be returned, which can compromise collateral evaluations and other dependent calculations.

/**
* @notice Gets the current price of an NFT from the oracle
* @param tokenId The token ID of the NFT
* @return The price of the NFT
*
* Checks if the price is stale
*/
function getNFTPrice(uint256 tokenId) public view returns (uint256) {
(uint256 price, uint256 lastUpdateTimestamp) = priceOracle.getLatestPrice(tokenId);
if (price == 0) revert InvalidNFTPrice();
return price;
}

Impact

Incorrect Collateral Valuation:

Stale price data can lead to inaccurate assessments of an NFT’s value, potentially allowing borrowers to over-leverage their positions.

Liquidation Errors:

Inaccurate collateral valuation may trigger unintended liquidations or prevent proper liquidations when necessary, destabilizing the lending protocol.

Exploitation Risk:

Attackers could potentially manipulate the timing of oracle updates or exploit delays to benefit from outdated pricing, resulting in financial losses for the protocol and its users.

Tools Used

Manuel review

Recommendations

Implement Timestamp Validation:

Update the getNFTPrice function to include a check on the lastUpdateTimestamp. For example, if the timestamp exceeds a predefined threshold (indicating stale data), the function should revert or return an error.

Update Documentation:

Ensure that the comments accurately reflect the implemented logic, clearly stating that the staleness check is performed on the price data, and detail the conditions under which data is considered stale.

Oracle Data Management:

Consider integrating a mechanism that guarantees data freshness from the oracle or provides fallback options if the data is outdated.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!