`setHousePrice` in RAACHousePrices contract is callable by the oracle instead of the owner, `updatePriceFromOracle` function is not implemented and manual update of the price for a token by the owner is not available.
Summary
The RAAC protocol documentation specifies that:
updatePriceFromOraclefunction should be callable the oracle in order to update the price of a token.setHousePriceshould be callable the owner to manually set the price of a house
The problem arises because the code behaves differently:
no
updatePriceFromOraclefunctionsetHousePricefunction only callable by the oracleNo ability of the owner to manually set the price of a house
Note that the documentation also specifies that the Owner role is "for setting the oracle address and manual price updates".
Vulnerability Details
The issue lies in the fact that the implementation doesn't follow specification (updatePriceFromOracle for oracle price update, setHousePrice for owner price update).
Impact
The impact is low, as it is only a discrepancy between specification and implementation.
Tools Used
Manual review.
Recommendations
Update the documentation to remove the updatePriceFromOracle function and remove information that the owner can manually update the price of a token (if this is not a desired behaviour).
Lead Judging Commences
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.