No Boolean was returned for verifyPeriodByStateRoot( function making it difficult to distinguish between a successful update and a failure.
Summary
The function verifyPeriodByStateRoot is expected to return a bool indicating success or failure. However, the return value is directly tied to the result of IScrvusdOracleV2(SCRVUSD_ORACLE).update_profit_max_unlock_time(period, _block_number).
LOC
Vulnerability Details
If update_profit_max_unlock_time fails (e.g., reverts due to an internal error or invalid input), the entire function will revert, and no bool will be returned. This means the function cannot return false; it will either return true or revert.
Impact
The function does not properly handle failure cases, making it difficult to distinguish between a successful update and a failure.
Tools Used
Manual Review
Recommendations
Wrap the call to update_profit_max_unlock_time in a try-catch block to handle reverts gracefully and return false in case of failure.
Lead Judging Commences
[invalid] finding-verifyPeriodByStateRoot-return-value
Non-acceptable severity, given there is arguably no impact here. If the verification function reverts, then the block number must have been outdated, which aligns with preventing updating of the max unlock time. The `verifyScrvusdByStateRoot` is unused with regard to in-scope contract context, so there is no evidence a boolean return variable is compulsory
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.