Timestamp Surrogate Issue in verifyScrvusdByStateRoot
Summary
In the verifyScrvusdByStateRoot function, the contract passes params[5] (which represents the stored value of last_profit_update) as the timestamp for updating the price. However, this value is extracted from the state proof and does not necessarily represent the actual block timestamp. Using an outdated or incorrect timestamp for price calculations can lead to errors.
Vulnerability Details
The Function :
uses params[5] as a timestamp. This parameter is read from the storage slot of the scrvUSD contract and might be outdated or not reflect the current block’s timestamp.
Impact
Incorrect timestamp data will lead to stale prices of assets.
Recommendations
Implement a mechanism to check if timestamp provided is not too old its should lie in certain accepted threshold. this could be a way to prevent this issue.
Lead Judging Commences
[invalid] finding-missing-proof-content-validation
- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.