Submission Details
Severity:
In the RAACHousePrice the setHousePrice can be used only by the onlyOracle not by the Owner as it is stated in the docs.
Summary
In the RAACHousePrice the setHousePrice can be used only by the onlyOracle not by the Owner as it is stated in the docs.
Vulnerability Details
This is from the docs:
| setHousePrice | ||
|---|---|---|
| Manually sets the price for a token | Owner Only | _tokenId: ID of the token to update _amount: New price for the token |
function setHousePrice(uint256 _tokenId, uint256 _amount) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
lastUpdateTimestamp = block.timestamp;
emit PriceUpdated(_tokenId, _amount);
}
As we can see the setHousePrice has the onlyOracle modifier not the onlyOwner
Impact
The owner can not change the HousePrice manually
Tools Used
Recommendations
change the modifier in the setHousePrice()
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.