Lack of `requestID` validation
Summary
The RAACHousePriceOracle._processResponse sets a received price for the lastHouseId house. The problem is the received price can be for the previous house. This can happen when the new request is invoked before the response from the previous request has been received.
Vulnerability Details
The _beforeFulfill function stores the lastHouseId every time the BaseChainlinkFunctionsOracle.sendRequest is invoked.
The oracle response is not a part of the sendRequest transaction. So the response can happen even in several blocks after. So a new sendRequest can rewrite the lastHouseId storage value before the previous request has been received. In this case the pending response will be applied for the new lastHouseId.
Though the BaseChainlinkFunctionsOracle.sendRequest stores the s_lastRequestId variable there is no check if s_lastRequestId == requestId. This makes it possible to apply an incorrect price for a house.
BaseChainlinkFunctionsOracle.sol:
Impact
This issue can cause asset losses due to wrong house prices.
Tools used
Manual Review
Recommendations
There is no good mitigation in the area of the RAACHousePriceOracle. The only simple solution is checking if s_lastRequestId == requestId in the fulfillRequest function.
Lead Judging Commences
Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs
Oracle Race Condition in RAACHousePriceOracle causes price misassignment between NFTs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.