Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Timestamp Tracking Inconsistency in RAACHousePrices Contract

lamsy

Summary

The RAACHousePrices contract is designed to manage house prices associated with RAAC tokens. However, the contract exhibits an inconsistency between its documented intentions and its implementation regarding timestamp tracking. While the documentation claims that the contract "updates timestamp for each token individually" and "returns token-specific update timestamp," the actual implementation uses a single global timestamp (lastUpdateTimestamp) for all tokens.

Vulnerability Details

/**
* @notice Allows the owner to set the house price for a token
* @param _tokenId The ID of the RAAC token
* @param _amount The price to set for the house in USD
*
* Updates timestamp for each token individually <-- This comment is incorrect
*/
function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
//@audit global timestamp is updated for a token
lastUpdateTimestamp = block.timestamp; // <-- Global timestamp
emit PriceUpdated(_tokenId, _amount);
}
/**
* @notice Retrieves the latest price and update timestamp for a given token
* @param _tokenId The ID of the RAAC token
* @return The latest price and the timestamp of the last update
*
* Returns token-specific update timestamp <-- This comment is incorrect
*/
function getLatestPrice(
uint256 _tokenId
) external view returns (uint256, uint256) {
return (tokenToHousePrice[_tokenId], lastUpdateTimestamp);
}

  • The function getLatestPrice(uint256 _tokenId) returns (tokenToHousePrice[_tokenId], lastUpdateTimestamp) , implying that each token should have its individual timestamp.

  • The setHousePrice(uint256 _tokenId, uint256 _amount) function also updates only a single global timestamp (lastUpdateTimestamp) instead of maintaining a separate timestamp per token. this will cause a discrepancy, leading to incorrect timestamp reporting for token-specific price updates.

  • While the oracle is trusted, inaccurate historical tracking can complicate analytics, and on-chain data reconciliation.

Impact

  • It affects data granularity and tracking which may cause incorrect timestamp reporting for integrating protocols and difficulty in auditing price update history

  • No way to determine when a specific token's price was last updated as the timestamp returned might be from a different token's update

Tools Used

  • Manual Code Review

  • Documentation Review and Cross-checking with Implementation

Recommendations

Implement token-specific timestamp tracking

// Add mapping for individual token timestamps
mapping(uint256 => uint256) public tokenLastUpdateTime;
function setHousePrice(uint256 _tokenId, uint256 _amount) external onlyOracle {
tokenToHousePrice[_tokenId] = _amount;
+ tokenLastUpdateTime[_tokenId] = block.timestamp; // Track individual timestamps
emit PriceUpdated(_tokenId, _amount, block.timestamp);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.