DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: high
Invalid

Inadequate Parameter Validation in Oracle Price Update

Summary

The ScrvusdOracleV2 update function accepts an array of vault parameters along with a timestamp and block number to compute the new scrvUSD price. However, it does not enforce strict validation or consistency checks on these inputs. Directly affects the price feed with potential for immediate funds risk.

Vulnerability Details

-The function fails to rigorously verify that the supplied vault parameters (such as total supply, idle funds, and debt values) accurately reflect the current vault state.

-It does not enforce that the provided block number and timestamp follow a strictly increasing (monotonic) sequence or fall within an expected time window.

-This gap can allow an actor with the PRICE_PARAMETERS_VERIFIER role to submit manipulated parameters, resulting in an incorrect price update.

Elaboration

The ScrvusdOracleV2 contract's update_price function accepts an array of vault parameters without validating their authenticity or consistency with the actual vault state. This lack of validation allows an attacker with the PRICE_PARAMETERS_VERIFIER role to supply malicious inputs, leading to incorrect price calculations.​

Proof of Concept (PoC):

An attacker with the PRICE_PARAMETERS_VERIFIER role can call the update_price function with manipulated parameters to artificially inflate the total_debt value, resulting in an inflated scrvUSD price.​

// Attacker-controlled parameters
uint256[ALL_PARAM_CNT] memory manipulatedParameters = [
/* total_debt */ 1_000_000 ether,
/* total_idle */ 0,
/* total_supply */ 1_000_000 ether,
/* full_profit_unlock_date */ block.timestamp + 1 weeks,
/* profit_unlocking_rate */ 1 ether,
/* last_profit_update */ block.timestamp,
/* balance_of_self */ 0
];
// Attacker calls update_price with manipulated parameters
scrvusdOracleV2.update_price(manipulatedParameters, block.timestamp, block.number);

In this PoC, the attacker sets an exaggerated total_debt, causing the oracle to compute an inflated scrvUSD price based on these falsified parameters.​

Impact

-A manipulated scrvUSD price could be exploited in stableswap pools, opening up arbitrage opportunities and potentially draining liquidity providers.

-The overall trust in cross-chain liquidity pools and associated financial products would be undermined.

Tools Used

-Manual Code Review

-Cross-reference with the Solodit Checklist on input validation and state consistency

-Chat GPT o3-mini-high

Recommendations

-Implement rigorous range checks on each element of the input parameter array, ensuring they align with known vault metrics.

-Enforce that block numbers and timestamps are strictly increasing and fall within an acceptable deviation from the previous update.

-Cross-verify input parameters against trusted on-chain vault data or historical snapshots before applying updates.

Updates

Lead Judging Commences

0xnevi Lead Judge
3 months ago
0xnevi Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.