Core Contracts

Summary

The functionality of getNFTPrice within the LendingPool.sol is rather important, as it is invoked in many accounting related calculations. For instance, when it comes to withdrawing NFTs that were deposited, there are checks to see if the withdrawal would leave the requesting user under collateralized or not.

Vulnerability Details

However, there is no check to ensure that the price of the NFT is reliable. The functionality accepts a returning value under lastUpdateTimestamp from the call to the price oracle via getLatestPrice(tokenId), but we do not check whether it is actually the latest price. We do however, check if the price returned is 0 or not.

Impact

Oracles can have timing issues, and sometimes be delayed or completely down, so it is important to check whether the timestamp is accurate or not. This could turn into a very serious matter amidst unstable market conditions or withdrawals of all assets as they would then all be withdrawn at an incorrect price. It is also plausible to state that we could revert frequently within withdrawNFT due to outdated oracle pricing as we would always supposedly be left under collateralized.

Tools Used

Manual review

Recommendations

Ensure the lastUpdateTimestamp is within a correct range relative to the current block.timestamp in order to classify it as the "latest" value, so it is not detrimental on anybody using the protocol.