Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Loss of Validation in parameter 'last_profit_update' leads to Timestamp Dependency (ScrvusdVerifierV1.sol)

simranjitsinghss

Summary:

Hi,

I have found out a potential vulnerability in the contract 'ScrvusdVerifierV1.sol' in which timestamp dependency issue occurs due to loss of validtion in parameter last_profit_update.

Vulnerability Details:

The key details of this potential vulnerability can be given as follows:

In this potential bug, the verifyScrvusdByStateRoot function uses last_profit_update parameter (params[5]) as surrogate to block.timestamp and this value is then passed to IScrvusdOracle for price updates. Due to no validation check for the last update, it can lead to the manipulation in price update for users.

function verifyScrvusdByStateRoot(

uint256 _block_number,

bytes memory _proof_rlp

) external returns (uint256) {

bytes32 state_root = IBlockHashOracle(BLOCK_HASH_ORACLE).get_state_root(_block_number);

uint256[PARAM_CNT] memory params = _extractParametersFromProof(state_root, _proof_rlp);

// Use last_profit_update as the timestamp surrogate

@> return _updatePrice(params, params[5], _block_number);

}

Impact:

If last_profit_update value is manipulated (due to invalid proof or bug), then price update based on incorrect timestamp gives incorrect results.

Tools Used:

Manual Code Analysis

Recommendations:

Add validation checks for the last_profit_update value, i.e. closely to block.timestamp:

require (params[5] <= block.timestamp, "Invalid timestamp");

require (params[5] > block.timestamp - 1 days, "Timestamp too old");

Use block.timestamp instead of last_profit_update if possible, it's more reliable source time.

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

[invalid] finding-missing-proof-content-validation

- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.