Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

lack of checking requestId when chainlink oracles fulfilling requests

valy001

Summary

when chainlink oracle node fulfilling request, requestId is not check aginst sendRequest, this will result in data mismatch feedings in consective requstings.

Vulnerability Details

Requests are send to chainlink decentralized oracle network to process and fetch offchain prices via BaseCahinlinkFunctionOracle::sendRequest(). A requstId is saved to state variable "s_lastRequestId" to identify different requests. However, this value is not checked when oracles fulfilling requests in BaseChainlinkFunctionsOracle::fulfillRequest(), where in_ _processResponse, data are directly processed.

function fulfillRequest(

bytes32 requestId, //@audit

bytes memory response,

bytes memory err

) internal override {

s_lastResponse = response;

s_lastError = err;

if (err.length == 0) {

if (response.length == 0) {

revert FulfillmentFailed();

}

_processResponse(response);

}

function _processResponse(bytes memory response) internal override {

uint256 price = abi.decode(response, (uint256));

housePrices.setHousePrice(lastHouseId, price);

emit HousePriceUpdated(lastHouseId, price);

}

function _processResponse(bytes memory response) internal override {

lastPrimeRate = abi.decode(response, (uint256));

lastUpdateTimestamp = block.timestamp;

lendingPool.setPrimeRate(lastPrimeRate);

emit PrimeRateUpdated(lastPrimeRate);

}

A major issue could come like this:

RAACHousePriceOracle sent two consecutive requsts to fetch different house's price. The later request was fulfilled firstly while the first request fulfilled sencondly. As a result, prices are assigned to wrong houseId.

Impact

broken oracle reponses process

Tools Used

manual

Recommendations

consider add requstId check when processing response

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!