The ScrvusdOracleV2 update function accepts an array of vault parameters along with a timestamp and block number to compute the new scrvUSD price. However, it does not enforce strict validation or consistency checks on these inputs. Directly affects the price feed with potential for immediate funds risk.
-The function fails to rigorously verify that the supplied vault parameters (such as total supply, idle funds, and debt values) accurately reflect the current vault state.
-It does not enforce that the provided block number and timestamp follow a strictly increasing (monotonic) sequence or fall within an expected time window.
-This gap can allow an actor with the PRICE_PARAMETERS_VERIFIER role to submit manipulated parameters, resulting in an incorrect price update.
The ScrvusdOracleV2 contract's update_price function accepts an array of vault parameters without validating their authenticity or consistency with the actual vault state. This lack of validation allows an attacker with the PRICE_PARAMETERS_VERIFIER role to supply malicious inputs, leading to incorrect price calculations.
An attacker with the PRICE_PARAMETERS_VERIFIER role can call the update_price function with manipulated parameters to artificially inflate the total_debt value, resulting in an inflated scrvUSD price.
In this PoC, the attacker sets an exaggerated total_debt, causing the oracle to compute an inflated scrvUSD price based on these falsified parameters.
-A manipulated scrvUSD price could be exploited in stableswap pools, opening up arbitrage opportunities and potentially draining liquidity providers.
-The overall trust in cross-chain liquidity pools and associated financial products would be undermined.
-Manual Code Review
-Cross-reference with the Solodit Checklist on input validation and state consistency
-Chat GPT o3-mini-high
-Implement rigorous range checks on each element of the input parameter array, ensuring they align with known vault metrics.
-Enforce that block numbers and timestamps are strictly increasing and fall within an acceptable deviation from the previous update.
-Cross-verify input parameters against trusted on-chain vault data or historical snapshots before applying updates.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.