The ScrvusdVerifierV1
contract uses block timestamps from the block header and state proofs to update oracle prices. However, an attacker can manipulate the timestamp under certain conditions:
In verifyScrvusdByStateRoot
, the timestamp is derived from params[5]
, which corresponds to last_profit_update
. Since this value is extracted from the state proof, an attacker could supply an outdated or forged proof to influence the oracle update time.
In verifyScrvusdByBlockHash
, the timestamp is taken from the RLP-decoded block header. If the block hash oracle is not securely validated, an attacker with miner influence (e.g., MEV or private transactions) could submit a block with an altered timestamp.
An attacker could:
Submit an outdated or manipulated state proof with a fake last_profit_update
timestamp, causing the oracle to accept incorrect historical data.
Use timestamp discrepancies to delay or accelerate price updates, leading to arbitrage opportunities or incorrect liquidations.
If the block hash oracle is not properly secured, miners or privileged actors could submit blocks with skewed timestamps to manipulate price updates.
Oracle Desynchronization: Price updates can be based on incorrect timestamps, leading to invalid data.Arbitrage & Liquidation Attacks: Attackers can delay or accelerate price updates, exploiting DeFi protocols reliant on this data.Data Corruption: Historical price records may become inconsistent or manipulated, impacting protocol integrity.
Strictly validate timestamps by enforcing limits on how old or future a timestamp can be.
Cross-check params[5]
against real block timestamps to ensure consistency.
Enhance
- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.