Use of Potentially Stale NFT Prices from Oracle Without Timestamp Validation (Freshness check)
Summary
The getNFTPrice function retrieves NFT pricing data from an oracle but does not enforce any checks against the timestamp, thereby risking the use of stale price data in collateral evaluations.
Vulnerability Details
IN https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol#L591
The function extracts both the price and the lastUpdateTimestamp:
However, the subsequent logic only verifies that price != 0, completely ignoring the lastUpdateTimestamp. Without validating the freshness of the price data, the protocol may inadvertently use outdated valuations for collateral, causing either underestimation or overestimation of user collateral, affecting borrowing capacity
Impact
Collateral Misvaluation: Stale NFT prices could lead to either underestimation or overestimation of user collateral, affecting borrowing capacity.
Tools Used
Manual Review
Recommendations
Incorporate a freshness check against lastUpdateTimestamp to ensure that the price data is recent
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.