DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: medium
Invalid

Timestamp Manipulation Risk in ScrvusdVerifierV1

Summary

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV1.sol#L71

The ScrvusdVerifierV1 contract uses block timestamps from the block header and state proofs to update oracle prices. However, an attacker can manipulate the timestamp under certain conditions:

Vulnerability Details

function verifyScrvusdByStateRoot(
uint256 _block_number,
bytes memory _proof_rlp
) external returns (uint256) {
bytes32 state_root = IBlockHashOracle(BLOCK_HASH_ORACLE).get_state_root(_block_number);
uint256[PARAM_CNT] memory params = _extractParametersFromProof(state_root, _proof_rlp);
// Use last_profit_update as the timestamp surrogate
return _updatePrice(params, params[5], _block_number);
}

In verifyScrvusdByStateRoot, the timestamp is derived from params[5], which corresponds to last_profit_update. Since this value is extracted from the state proof, an attacker could supply an outdated or forged proof to influence the oracle update time.

In verifyScrvusdByBlockHash, the timestamp is taken from the RLP-decoded block header. If the block hash oracle is not securely validated, an attacker with miner influence (e.g., MEV or private transactions) could submit a block with an altered timestamp.

An attacker could:

Submit an outdated or manipulated state proof with a fake last_profit_update timestamp, causing the oracle to accept incorrect historical data.

Use timestamp discrepancies to delay or accelerate price updates, leading to arbitrage opportunities or incorrect liquidations.

If the block hash oracle is not properly secured, miners or privileged actors could submit blocks with skewed timestamps to manipulate price updates.

Impact

Oracle Desynchronization: Price updates can be based on incorrect timestamps, leading to invalid data.Arbitrage & Liquidation Attacks: Attackers can delay or accelerate price updates, exploiting DeFi protocols reliant on this data.Data Corruption: Historical price records may become inconsistent or manipulated, impacting protocol integrity.

Tools Used

Recommendations

Strictly validate timestamps by enforcing limits on how old or future a timestamp can be.

Cross-check params[5] against real block timestamps to ensure consistency.

Enhance

Updates

Lead Judging Commences

0xnevi Lead Judge
3 months ago
0xnevi Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

[invalid] finding-missing-proof-content-validation

- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.