The ScrvusdVerifierV1 contract uses RLP-encoded block headers and state proofs to extract vault parameters. However, its verification logic does not fully cross-check these extracted values against trusted sources such as the BlockHashOracle. Allows forged state proofs that can directly compromise the price, risking funds.
-The functions (e.g. verifyScrvusdByBlockHash and verifyScrvusdByStateRoot) parse block headers and state proofs but lack comprehensive integrity checks for the decoded parameters.
-Critical vault metrics (total supply, idle funds, etc.) are not validated against known on-chain data, leaving the system open to forged proofs.
The ScrvusdVerifierV1 contract's verifyScrvusdByBlockHash function verifies scrvUSD parameters using an RLP-encoded block header and a corresponding state proof. However, it does not thoroughly cross-check these extracted values against trusted sources, such as the BlockHashOracle. This shortfall could allow forged state proofs to inject incorrect vault parameters.
An attacker crafts a malicious state proof that falsely indicates an increase in the vault's total_debt.
In this PoC, the attacker submits forged proofs that, due to insufficient verification, are accepted by the contract, leading to incorrect updates to the oracle's price data.
-An attacker could submit a crafted state proof with manipulated vault parameters that would be accepted by the verifier, resulting in an incorrect update to the scrvUSD price.
-Such an exploit could destabilize cross-chain pools by providing false data on the vault’s financial state.
-Manual Code Review
-Solodit Checklist review regarding state proof and input consistency
-Chat GPT o3-mini-high
-Enhance the RLP decoding and verification logic to include complete integrity checks on all critical parameters.
-Cross-check all decoded values against the BlockHashOracle’s records or other trusted sources before updating the oracle.
-Consider adding a fallback or delay mechanism in cases where the extracted data appears anomalous.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.