Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`RAACHousePrices` holds stale prices for NFTs

pabloperezacc6

Summary

The RAACHousePrices doesn't track the timestamp of the price of each token. It only tracks lastUpdateTimestamp of lask updated NFT. Therefore, it doesn't provide fresh price feed for NFT.

Vulnerability Details

The current implementation of the setHousePrice function updates the lastUpdateTimestamp to the current block.timestamp whenever a price is set. However, it does not maintain individual update timestamps for each token. As a result, the contract does not accurately reflect the freshness of the price data for each specific token, leading to potential issues with price staleness

function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
lastUpdateTimestamp = block.timestamp;
emit PriceUpdated(_tokenId, _amount);
}

Impact

RAACHousePrices provides stale prices for NFT.

Tools Used

Manual Review

Recommendations

Implement a separate timestamp for each token price update.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.