`RAACHousePrices` Should Implement Individual `lastUpdateTimestamp` for each `tokenId`.
Summary
RAACHousePrices.setHousePrice() does not check if the price is stale. As a result, a stale price could be used, allowing borrowers to borrow more than they are permitted, which poses a potential risk of fund loss.
Vulnerability Details
The RAACHousePrices.setHousePrice() function is designed to set a specific tokenId's price, but it updates the global variable lastUpdateTimestamp. This approach is flawed. Consequently, if a specific tokenId's price is updated, other tokenIds also appear to have been updated recently. As a result, stale prices could be used for some tokenIds.
Impact
Stale prices could be utilized.
Tools Used
Manual review
Recommendations
Implement individual lastUpdateTimestamp for each tokenId.
Lead Judging Commences
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.