The ScrvusdVerifier contracts demonstrate inadequate validation of timestamps used in oracle updates, potentially allowing manipulation of price data through inaccurate temporal references.
In the verifyScrvusdByStateRoot
function of ScrvusdVerifierV1, the contract uses a storage parameter as a timestamp surrogate without proper validation:
The issue is that params[5]
represents last_profit_update
from the scrvUSD contract's storage, which is being used as the timestamp for the oracle update. This parameter is:
Extracted directly from the provided proof without verification
Not validated against any time boundaries
Not checked for consistency with the block's actual timestamp
Additionally, the contract fails to ensure the timestamp is recent enough or not set in the future, nor does it compare this value with the actual timestamp from the block being referenced.
This vulnerability could allow an attacker to:
Submit proofs with manipulated timestamp data
Cause oracle updates to use incorrect temporal references
Potentially influence price calculations that depend on time-weighted values
Create opportunities for arbitrage by exploiting temporal inconsistencies in price data
The severity depends on how the Oracle contract uses this timestamp in its price calculations, but it represents a significant risk to the integrity of time-sensitive price data.
Add Timestamp Boundary Checks:
Use Block Header Timestamp When Available:
In the verifyScrvusdByBlockHash
function, the block header timestamp is available and should be preferred over storage parameters
Cross-validate Time Parameters:
Compare timestamp with other temporal indicators (block number, etc.)
Implement consistency checks between multiple time-related parameters
Time Window Requirements:
Define explicit time windows during which updates are valid
Reject updates with timestamps outside acceptable ranges
By implementing these recommendations, the contract would significantly reduce the risk of timestamp manipulation and improve the temporal integrity of the oracle system.
- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.