Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect Storage Slot Assumptions in Verifiers

0xbrett8571

Summary

If the storage slots defined in the verifier contracts don't match the actual storage layout of the scrvUSD vault on Ethereum, the system would extract incorrect values, leading to manipulated prices.

Vulnerability Details

In the ScrvusdVerifierV1.sol#L32-L40 contract, storage slots are hardcoded

uint256[PROOF_CNT] internal PARAM_SLOTS = [
uint256(0), // filler for account proof
uint256(21), // total_debt
uint256(22), // total_idle
uint256(20), // totalSupply
uint256(38), // full_profit_unlock_date
uint256(39), // profit_unlocking_rate
uint256(40), // last_profit_update
uint256(keccak256(abi.encode(18, SCRVUSD))) // balanceOf(self)
];

Similarly, in ScrvusdVerifierV2.sol#L19

uint256 internal PERIOD_SLOT = 37; // profit_max_unlock_time

Impact

When the verifier extracts parameters from storage proofs: ScrvusdVerifierV1#L101-L105

// Extract value from storage proof
Verifier.SlotValue memory slot = Verifier.extractSlotValueFromProof(
keccak256(abi.encode(PARAM_SLOTS[i])), // Slot location key
account.storageRoot, // Storage root for verification
proofs[i].toList() // Proof data
);

If these slot numbers don't match the actual storage layout, the extracted values will be incorrect but will still pass verification because the proof is technically valid, it's just proving the wrong data.

Reasons This Could Happen

  1. If the scrvUSD vault on Ethereum is upgraded and its storage layout changes

  2. If the hardcoded slot numbers were incorrect from the beginning

  3. If multiple versions of scrvUSD exist with different storage layouts

Impact on Oracle Price

Since the ScrvusdOracleV2 relies on these parameters to calculate prices: ScrvusdOracleV2#L315-L322

self.price_params = PriceParams(
total_debt=_parameters[0],
total_idle=_parameters[1],
total_supply=_parameters[2],
full_profit_unlock_date=_parameters[3],
profit_unlocking_rate=_parameters[4],
last_profit_update=_parameters[5],
balance_of_self=_parameters[6],
)

Incorrect parameter values would lead to inaccurate price calculations. This could result in:

  1. Mispriced assets in stableswap pools

  2. Potential exploitation through arbitrage

  3. Loss of funds for liquidity providers

Users must trust that the storage slot mapping is correct and remains correct over time.

Recommendations

Validating the storage layout of the live scrvUSD contract and updating the slot numbers in verifiers to match would address the vulnerability.

Consider implementing a validation mechanism in the verifier that can detect if expected values fall outside reasonable bounds, which could provide an additional layer of security against using incorrect storage slots.

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

[invalid] finding-upgradeable-verifier-contracts

Invalid, - srCRVUSD is a minimal proxy, meaning it can never by upgraded, see [here](https://www.cyfrin.io/blog/upgradeable-proxy-smart-contract-pattern#:~:text=Minimal%20proxies%20are%20distinct%20from,provide%20upgrade%20or%20authorization%20functionality.) and [here](https://www.rareskills.io/post/eip-1167-minimal-proxy-standard-with-initialization-clone-pattern) for more info. - Even if srcrvUSD is migrated in the future via a new minimal proxy contract deployment (which is highly unlikely), the verifier contracts can be migrated along with it via revoking the access-control within the `ScrvusdOracleV2.vy` and then granting access to a new oracle. This is also not within the scope of this contest.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.