DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: high
Invalid

The update_price and functions do not validate the input parameters

Summary

A lack of input validation in the update_price functions in ScrvusdOracleV2.vy. This issue could allow incorrect or malicious data to be processed, potentially affecting the integrity of the contract's operations.

Vulnerability Details

1. Lack of Input Validation in update_price Function

  • Description: The update_price function does not properly validate the _parameters array before assigning its values to the price_params struct. This could allow invalid or manipulated values to be stored, affecting price calculations and potentially leading to incorrect share valuations.

  • Affected Code:

@external
def update_price(
_parameters: uint256[ALL_PARAM_CNT], _ts: uint256, _block_number: uint256
) -> uint256:

Potential Exploits:

  • An attacker could provide malformed data in _parameters, leading to incorrect total supply, debt, or profit unlocking rate.

  • If the values cause an integer overflow, it could disrupt the expected behavior of the contract.

Impact

  • A malicious or faulty input could cause incorrect calculations, leading to an inaccurate share price.

  • This could destabilize integrations relying on the Oracle.

  • Attackers may manipulate block numbers to introduce inconsistencies in price calculations.

Tools Used

Manual Review

Recommendations

  • Set reasonable lower and upper bounds for the update_price

  • Implement assertions or require statements to prevent extreme values from being set.

  • Ensure _block_number is correctly validated to avoid outdated updates.

Updates

Lead Judging Commences

0xnevi Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

[invalid] finding-missing-proof-content-validation

- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.