Storage Proofs

Summary

Critical functions in ScrvusdVerifierV1 and ScrvusdVerifierV2 (e.g., verifyScrvusdByBlockHash, verifyScrvusdByStateRoot, and their V2 counterparts) lack access controls. These functions are declared as external without role-based restrictions, allowing any Ethereum address to trigger oracle updates.

Vulnerability Details

Affected Functions

The following functions in ScrvusdVerifierV1 and ScrvusdVerifierV2 lack access controls, allowing any Ethereum address to invoke them:

ScrvusdVerifierV1:

´´´

function verifyScrvusdByBlockHash(...) external { ... }
function verifyScrvusdByStateRoot(...) external { ... }

´´´

ScrvusdVerifierV2:

´´´

function verifyPeriodByBlockHash(...) external { ... }
function verifyPeriodByStateRoot(...) external { ... }

´´´

** Vulnerability Mechanism**

• Public Exposure: These functions are declared as external but lack modifiers (e.g., onlyRole) to restrict access.

• Malicious Inputs: Attackers can submit forged _proof_rlp to manipulate critical parameters (e.g., total_supply, profit_max_unlock_time).

• Example Attack Flow:

  1. Attacker crafts a fake proof claiming total_supply = 0.

  2. Calls verifyScrvusdByBlockHash with the malicious proof.

  3. Oracle updates with invalid parameters, causing division-by-zero errors in price calculations

Impact

• Severity: Critical

  • Direct Oracle Manipulation: Malicious actors can arbitrarily set parameters like total_debt, total_supply, or profit_max_unlock_time.

  • Denial of Service (DoS): Forcing profit_max_unlock_time = 0 crashes the oracle.

  • Financial Loss: Incorrect prices lead to flawed liquidations, lending rates, or stablecoin redemptions.

Tools Used

manual review

Recommendations

1. Restrict Function Access:

   • Only authorized addresses (e.g., trusted oracles) should trigger price/parameter updates. Use role-based permissions (e.g., PRICE_VERIFIER_ROLE).