`lastUpdateTimestamp` is common to all token ids in RAACHousePrices contract, leading to wrong returned data.
Summary
The setHousePrice function is implemented as follows:
The problem is that lastUpdateTimestamp storage variable a simple uint256 that represents the last time any of the houses price has been updated. This is incorrect, given that getLatestPrice view function uses this shared value to return the price of a house and the last time this price has been updated:
Vulnerability Details
The issue related to lastUpdateTimestamp will cause external contracts that might call getLatestPrice function in RAACHousePrices contract to receive incorrect return value regarding the last timestamp update of the house it asked the last price.
For now, there is no real consequence because only the lending pool makes call to getLatestPrice and the lastUpdateTimestamp return value is never used. But the protocol is not entirely finished and future external integrations are possible.
Impact
The severity of this issue is medium as it can lead to issues in case of integration with other protocols that would be feed with incorrect data related to the last price update for a specific house.
Tools Used
Manual review
Recommendations
Make sure to track the last update timestamp for each house and use it getLatestPrice, using a mapping for example :
Lead Judging Commences
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
RAACHousePrices uses a single global lastUpdateTimestamp for all NFTs instead of per-token tracking, causing misleading price freshness data
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.