Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

The ScrvusdVerifierV2 contract is unusable due to access control in update_profit_max_unlock_time.

triangulum

Summary

The ScrvusdVerifierV2 contract is unusable due to access control in update_profit_max_unlock_time which is callable by UNLOCK_TIME_VERIFIER only. This is due to the fact that both the functions in ScrvusdVerifierV2 contract viz. function verifyPeriodByBlockHash as well as the function verifyPeriodByStateRoot call update_profit_max_unlock_time in ScrvusdOracleV2 contract.

Vulnerability Details

The function verifyPeriodByBlockHash and the function verifyPeriodByStateRoot in ScrvusdVerifierV2.sol use call to update_profit_max_unlock_time. However, update_profit_max_unlock_time is access controlled and is callable by UNLOCK_TIME_VERIFIER only, in the ScrvusdOracleV2.sol. This interlock makes the ScrvusdVerifierV2 contract unusable.

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV2.sol#L38

return IScrvusdOracleV2(SCRVUSD_ORACLE).update_profit_max_unlock_time(period, block_header.number);

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV2.sol#L50

return IScrvusdOracleV2(SCRVUSD_ORACLE).update_profit_max_unlock_time(period, _block_number);

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L334-L341

def update_profit_max_unlock_time(_profit_max_unlock_time: uint256, _block_number: uint256) -> bool:

"""

@notice Update price using `_parameters`

@param _profit_max_unlock_time New `profit_max_unlock_time` value

@param _block_number Block number of parameters to linearize updates

@return Boolean whether value changed

"""

access_control._check_role(UNLOCK_TIME_VERIFIER, msg.sender) #@audit access controlled.

Impact

Both the functions verifyPeriodByBlockHash and verifyPeriodByStateRoot
in the ScrvusdVerifierV2.sol use update_profit_max_unlock_time
which is callable by UNLOCK_TIME_VERIFIER only, resulting in ScrvusdVerifierV2 unusable.

Tools Used

Manual review

Recommendations

Consider including appropriate access control in ScrvusdVerifierV2 contract and allowing calls from ScrvusdVerifierV2 contract to access update_profit_max_unlock_time in addition to the present access by UNLOCK_TIME_VERIFIER.

Updates

Lead Judging Commences

0xnevi Lead Judge

6 months ago

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.