Lack of Input Validation on External Calls
Summary
Vulnerability Details
Functions like update_price() and update_profit_max_unlock_time() do not properly validate inputs, which can lead to incorrect calculations or unexpected behavior.
example:
_parameters should have explicit range checks (e.g., ensuring nonzero values for total supply).
_ts should be checked against block.timestamp to avoid future timestamps.
_block_number should be validated to prevent invalid updates.
Impact
Attackers could provide malicious values to corrupt the oracle's price feed, leading to financial losses.
Recommendations
Add explicit range checks for _parameters, _ts, and _block_number.
Lead Judging Commences
[invalid] finding-missing-proof-content-validation
- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.