Oracle Manipulation Risk Due to Lack of Slippage and Sanity Checks
Summary
The ScrvusdOracleV2.vy contract relies on external pool pricing via estimate_amounts_out to determine the value of scrvUSD. However, it lacks essential protections such as slippage tolerance and sanity checks, leaving it vulnerable to manipulation. An attacker could exploit this to return incorrect prices that affect critical protocol functionalities dependent on the oracle.
Vulnerability Details
Within ScrvusdOracleV2.vy, the function estimate_amounts_out is called to calculate scrvUSD pricing based on external liquidity pools. Since there are no checks to ensure returned prices are within expected bounds, an attacker could manipulate pool reserves (e.g., via flash loans) to influence the price that the oracle returns. Because the oracle uses spot prices without averaging or bounds, this manipulated price would be accepted and propagated to protocol logic.
Impact
Incorrect oracle prices can lead to incorrect valuation of
scrvUSD, affecting minting, redemption, or liquidation processes.Potential financial exploitation if attackers manipulate pool reserves to gain profit or disrupt protocol operations.
Can result in loss of user funds, protocol insolvency, or systemic failures depending on where
scrvUSDprices are used.
Tools Used
Manual code review
Recommendations
Implement sanity checks to ensure returned prices are within reasonable historical or predefined ranges.
Add slippage protection when querying pool prices to prevent accepting manipulated values.
Consider using time-weighted average price (TWAP) mechanisms instead of single spot prices to make manipulation significantly more expensive and difficult.
Regularly monitor oracle behavior to detect anomalies in price feeds.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.