PERIOD_SLOT Value Extraction Can Be Manipulated
Summary
Lack of Validation on Extracted Slot Value
require(slot.exists); return slot.value;
The contract does not check if
slot.valueis within a reasonable range.A malicious state proof could trick the contract into setting an arbitrary period.
Potential Exploit
-
Attacker constructs a fake state proof where
slot.value = 2^256 - 1, causing integer overflow issues. -
If the downstream contract relies on
profit_max_unlock_timefor financial calculations, this could lead to:Funds being locked permanently.
Mispriced assets in DeFi protocols.
Vulnerability Details
Impact
Tools Used
Recommendations
-
Add upper and lower bounds on extracted values:
require(slot.value > 0 && slot.value < MAX_PERIOD, "Invalid period value"); -
Use timestamp checks if the value represents a time-based parameter.
Lead Judging Commences
[invalid] finding-missing-proof-content-validation
- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.