Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Unauthorized Access to Critical Functions

richyikejiaku

Summary

Unauthorized Access to Critical Functions

Vulnerability Details

Functions like update_price(), set_max_price_increment(), and set_max_v2_duration() require specific roles using:

access_control._check_role(PRICE_PARAMETERS_VERIFIER, msg.sender)

However, if the admin role is compromised, an attacker can:

Grant themselves verifier roles.
Manipulate oracle values
Drain the system of assets

Impact

A single compromised admin key can destroy the oracle's reliability.

Tools Used

Recommendations

Implement multi-signature approvals for role-based functions.

Consider timelocks on role changes.

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[invalid] finding-centralization-risk

- Per [codehawks documentation](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid) - Parameter change is executed via the Dao per docs > Also, it is worth noting that the oracle is controlled by a DAO and its parameters can be changed by a vote.

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.