RAACHousePrices doesn't check or handle stale price
Summary
The codebase will execute with house prices that don't reflect the current pricing resulting in a potential loss of funds for users
Vulnerability Details
in RAACHousePrices, the price is retrieved with getLatestPrice
It also returns the lastUpdateTimestamp.
Latest price is an important value as it is used in core protocol features such as nft minting and calculating users collateral in the lending pool
But lastUpdateTimestamp is never checked and in case of an oracle issue the price could be stale, not reflecting the real current NFT/house value.
Impact
Impact is high as it could cause users to pay more (or less) than current house value for minting an NFT
It could also cause users to have less (or more) collateral than expected thus users being liquidated while having enough collateral or opposite it could create more bad debt than expected in the protocol
Likelihood is low as we can expect the oracle to behave as intended in most cases.
Recommendations
Check when was house prise last updated and handle the case where it was too long ago
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.