`LendingPool::getNFTPrice` does not have stale price check
Summary
Borrower NFTs value are checked by calling LendingPool::getNFTPricebut the function does not check whether the price are stale or not because it does not check thelastUpdateTimestamp. If the price is stale this can lead to unintended effect like liquidation or borrowing with lower actual collateral in real market value.
Vulnerability Details
when calculating borrower collateral price, the function LendingPool::getNFTPricewould be called and check the price of each tokenId provided, but this function does not check when the last time the oracle update the price.
even though the lastUpdateTimestamp value is received, but it does not used.
Impact
by not checking if the price is stale or not, this can lead to protocol making wrong assumption with the NFT prices.
contract does not know if the price stale, this can make borrower can have unintended liquidation because of wrong price used if collateral price now lower than what market reflect or borrower can borrow amount with inaccurate liqudation treshold to cover the new debt.
Tools Used
manual review
Recommendations
add function that get latest price and check when is the last time its updated, if its updated over certain time treshold then mark the price as stale and request the oracle to update it again
Lead Judging Commences
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
LendingPool::getNFTPrice or getPrimeRate doesn't validate timestamp staleness despite claiming to, allowing users to exploit outdated collateral values during price drops
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.