Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Misleading NatSpec and Ambiguous Access Control in `setHousePrice` Function

johny7173

Summary

The NatSpec documentation for the setHousePrice function incorrectly states that it allows the owner to set the house price for a token, while the implementation restricts access to accounts with the onlyOracle role. This discrepancy creates ambiguity regarding who is authorized to update house prices. Additionally, the function does not verify whether the token exists before updating its price.

Vulnerability Details

NatSpec vs. Implementation Mismatch:
The NatSpec comment describes the function as being callable by the owner:
/**
* @notice Allows the owner to set the house price for a token
* @param _tokenId The ID of the RAAC token
* @param _amount The price to set for the house in USD
*/
However, the function is defined with the onlyOracle modifier:
function setHousePrice(
uint256 _tokenId,
uint256 _amount
) external onlyOracle { ... }
This mismatch leads to confusion about whether the function is intended to be restricted to the owner or to an oracle.

Impact

Access Control Confusion:
Stakeholders might assume that the owner is responsible for setting house prices when, in fact, only an account with the onlyOracle role can perform this operation. This can lead to misconfigurations and potential security gaps if the intended access control is not enforced.

Tools Used

Manual code review

Recommended Mitigation

Clarify the NatSpec Documentation:
If the intended caller is the oracle, update the NatSpec comment to reflect that the function allows the oracle (and not the owner) to set the house price:

/**
* @notice Allows the oracle to set the house price for a token
* @param _tokenId The ID of the RAAC token
* @param _amount The price to set for the house in USD
*
* Updates the timestamp for each token individually.
*/
Review and Adjust Access Control:
Determine the intended role:
- If the owner should set the house price, change the modifier from onlyOracle to onlyOwner.
- If the oracle is intended to set the price, ensure that the documentation and role management are updated accordingly.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!