The owner cannot set the house price due to wrong modifier usage
Summary
The setHousePrice functionality within RAACHousePrices.sol allows the owner to arbitrarily set the house price for a specific token along with the amount. It directly changes the mapping of the tokenId to the amount passed in, and updates the lastUpdateTimestamp.
Vulnerability Details
Unfortunately, the function is restricted to the onlyOracle modifier check. This means that the admin address would not be able to execute the function as intended, because they are not the oracle contract with the correct access (per the wrong modifier utilised).
Similarily, we utilise the onlyOwner modifier correctly when setting an oracle, as seen within setOracle(), however the same logic is not applying when setting the house price.
function setHousePrice(uint256 _tokenId, uint256 amount) external **onlyOracle**
Impact
The owner/admin will never be able to set the house price for a specific token for a specific amount.
Tools Used
Manual review
Recommendations
Enable the functionality to be utilised by the owner/admin as well as the oracle (if required, otherwise owner/admin only).
onlyOwner instead of onlyOracle.
Lead Judging Commences
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.