Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Inadequate Parameter Validation in Oracle Price Update

entrancesun

Summary

The ScrvusdOracleV2 update function accepts an array of vault parameters along with a timestamp and block number to compute the new scrvUSD price. However, it does not enforce strict validation or consistency checks on these inputs. Directly affects the price feed with potential for immediate funds risk.

Vulnerability Details

-The function fails to rigorously verify that the supplied vault parameters (such as total supply, idle funds, and debt values) accurately reflect the current vault state.

-It does not enforce that the provided block number and timestamp follow a strictly increasing (monotonic) sequence or fall within an expected time window.

-This gap can allow an actor with the PRICE_PARAMETERS_VERIFIER role to submit manipulated parameters, resulting in an incorrect price update.

Elaboration

The ScrvusdOracleV2 contract's update_price function accepts an array of vault parameters without validating their authenticity or consistency with the actual vault state. This lack of validation allows an attacker with the PRICE_PARAMETERS_VERIFIER role to supply malicious inputs, leading to incorrect price calculations.

Proof of Concept (PoC):

An attacker with the PRICE_PARAMETERS_VERIFIER role can call the update_price function with manipulated parameters to artificially inflate the total_debt value, resulting in an inflated scrvUSD price.

// Attacker-controlled parameters

uint256[ALL_PARAM_CNT] memory manipulatedParameters = [

/* total_debt */ 1_000_000 ether,

/* total_idle */ 0,

/* total_supply */ 1_000_000 ether,

/* full_profit_unlock_date */ block.timestamp + 1 weeks,

/* profit_unlocking_rate */ 1 ether,

/* last_profit_update */ block.timestamp,

/* balance_of_self */ 0

];

// Attacker calls update_price with manipulated parameters

scrvusdOracleV2.update_price(manipulatedParameters, block.timestamp, block.number);

In this PoC, the attacker sets an exaggerated total_debt, causing the oracle to compute an inflated scrvUSD price based on these falsified parameters.

Impact

-A manipulated scrvUSD price could be exploited in stableswap pools, opening up arbitrage opportunities and potentially draining liquidity providers.

-The overall trust in cross-chain liquidity pools and associated financial products would be undermined.

Tools Used

-Manual Code Review

-Cross-reference with the Solodit Checklist on input validation and state consistency

-Chat GPT o3-mini-high

Recommendations

-Implement rigorous range checks on each element of the input parameter array, ensuring they align with known vault metrics.

-Enforce that block numbers and timestamps are strictly increasing and fall within an acceptable deviation from the previous update.

-Cross-verify input parameters against trusted on-chain vault data or historical snapshots before applying updates.

Updates

Lead Judging Commences

0xnevi Lead Judge

3 months ago

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.