Lack of Replay Protection
Summary
IScrvusdOracleV2(SCRVUSD_ORACLE).update_profit_max_unlock_time(period, block_header.number);
No mechanism prevents replaying an old valid proof from a past block.
If
profit_max_unlock_timedecreases, an attacker can submit an old proof to set it back.
Potential Exploit
Suppose in block 1000, the correct
profit_max_unlock_timewas 100.Later, at block 2000,
profit_max_unlock_timeincreases to 500.An attacker replays the proof from block 1000, setting
profit_max_unlock_timeback to 100.
Vulnerability Details
Impact
Tools Used
Recommendations
Add block age constraints to prevent submitting very old proofs.
Require a monotonically increasing
profit_max_unlock_time.Store verified block numbers and reject proofs from lower blocks.
Lead Judging Commences
[invalid] finding-replay-proof-lack-nonce
- All proof generated within `_proof_rlp` is generated via the off-chain prover, so there is no concrete proof that this proofs are non-unique. - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier`, so there is no proof that manipulating proofs can successfully pass a price update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.