Division by zero in price calculations (ScrvusdOracleV2.vy)
Summary:
Hi,
I have found out a potential bug in which the function _raw_price in the contract 'ScrvusdOracleV2.vy' is vulnerable to zero division attack.
Vulnerability Details:
The key details of this vulnerability can be given as follows:
In the _raw_price function, if self._total_supply(parameters, ts) == 0, the contract reverts due to division by zero attack. It could render the oracle unusable, if attacker with PRICE_PARAMETERS_VERIFIER role provides malicious parameters like setting total_supply = 0 or manipulating _total_supply to get 0.
Impact:
This vulnerability can lead to DoS attack and make it difficult for clients to use the contract.
Tools Used:
Manual Code Analysis.
Recommendations:
Try to make an assert statement for _total_supply for remediating this issue:
Lead Judging Commences
[invalid] finding-division-by-zero
Note that `total_supply` and `profit_unlocking_rate` is initially set to 1 and 0 respectively when the `ScrvusdOracleV2.vy` is deployed 1. `total_supply` and `profit_unlocking_rate` is part of the price param updates within `update_price`, which must have gone through verification via the OOS `StateProofVerifier` contract, so there is no evidence that a 0 supply is allowed either via a 0 supply update or an extremely high `profit_unlocking_rate`. 2. Since price is retrieved via values retrived from the V3Vault, if there is no supply, there is arguably no price to be posted. As such, reverting is arguably the correct choice since a 0 price value is not expected from scrvUSD, which is a stable coin.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.