Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

verifyScrvusdByBlockHash( function lacks access control giving room for unauthorized manipulation

astrotimi

Summary

verifyScrvusdByBlockHash( is an external function & an authorized entity that can call the function is not defined therefore making the code vulnerable as it can be called by anyone.

LOC

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV1.sol#L54

Vulnerability Details

The code below verifies the validity of a block header by comparing its hash with an oracle's hash, extracts parameters from a proof, and is designed to return a value related to the price update based on the extracted parameters.

function verifyScrvusdByBlockHash(

bytes memory _block_header_rlp,

bytes memory _proof_rlp

) external returns (uint256) {

Verifier.BlockHeader memory block_header = Verifier.parseBlockHeader(_block_header_rlp);

require(block_header.hash != bytes32(0), "Invalid blockhash");

require(

block_header.hash == IBlockHashOracle(BLOCK_HASH_ORACLE).get_block_hash(block_header.number),

"Blockhash mismatch"

);

uint256[PARAM_CNT] memory params = _extractParametersFromProof(block_header.stateRootHash, _proof_rlp);

return _updatePrice(params, block_header.timestamp, block_header.number);

}

However , there is no special authorized entitity like an Admin for example to be given full access to call the function instead anybody can gain access to manipulate the verification of the validity of a block header by manipulating its hash comparism.

Impact

Unauthorized users could manipulate the function's behavior thereby giving rise to a wrong value or price update.

Tools Used

Manual Review

Recommendations

Add access control to restrict who can call the function

modifier onlyAuthorized() {require(msg.sender == authorizedAddress, "Unauthorized");_;}

function verifyScrvusdByBlockHash(

bytes memory _block_header_rlp,

bytes memory _proof_rlp

) external returns (uint256) {

```

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[invalid] finding-verify-functions-lack-access-control

Invalid, all state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier`, so there is no proof that a permisionless `verify`functions allow updating malicious prices

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.