Summary

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV1.sol#L71

The ScrvusdVerifierV1 contract uses block timestamps from the block header and state proofs to update oracle prices. However, an attacker can manipulate the timestamp under certain conditions:

Vulnerability Details

In verifyScrvusdByStateRoot, the timestamp is derived from params[5], which corresponds to last_profit_update. Since this value is extracted from the state proof, an attacker could supply an outdated or forged proof to influence the oracle update time.

In verifyScrvusdByBlockHash, the timestamp is taken from the RLP-decoded block header. If the block hash oracle is not securely validated, an attacker with miner influence (e.g., MEV or private transactions) could submit a block with an altered timestamp.

An attacker could:

Submit an outdated or manipulated state proof with a fake last_profit_update timestamp, causing the oracle to accept incorrect historical data.

Use timestamp discrepancies to delay or accelerate price updates, leading to arbitrage opportunities or incorrect liquidations.

If the block hash oracle is not properly secured, miners or privileged actors could submit blocks with skewed timestamps to manipulate price updates.

Impact

Oracle Desynchronization: Price updates can be based on incorrect timestamps, leading to invalid data.Arbitrage & Liquidation Attacks: Attackers can delay or accelerate price updates, exploiting DeFi protocols reliant on this data.Data Corruption: Historical price records may become inconsistent or manipulated, impacting protocol integrity.

Tools Used

Recommendations

Strictly validate timestamps by enforcing limits on how old or future a timestamp can be.

Cross-check params[5] against real block timestamps to ensure consistency.

Enhance