Inadequate Access Control in setHousePrice Function
Summary
The setHousePrice function in the RAAC protocol lacks proper access control, allowing only the oracle to update house prices. This contradicts the documentation, which specifies that the function should be "Owner Only." The missing implementation of the onlyOwner modifier creates a potential vulnerability when the oracle reports incorrect or stale prices.
Vulnerability Details
2025-02-raac/contracts/core/primitives/RAACHousePrices.sol at main · Cyfrin/2025-02-raac
The function uses the onlyOracle modifier, which restricts access to only the oracle.
The documentation states that the function should be "Owner Only," yet the contract permits oracle access without owner override capabilities for manual corrections.
Impact
Incorrect or Stale Prices: If the oracle provides incorrect or outdated prices, the owner cannot manually correct them, potentially causing financial discrepancies within the protocol.
Limited Control: The owner’s inability to intervene will affect the protocol's stability, especially during oracle failures or compromised oracle scenarios.
Tools Used
Recommendations
Add this Modifier: Replace onlyOracle with onlyOwnerOrOracle to allow both the oracle and the owner to update house prices.
Lead Judging Commences
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.