1. Untrusted External Contract Call

File: ScrvusdVerifierV1.sol
Line: 20
Code:

Description: The contract interacts with an external oracle contract without validating its authenticity. If the external contract is compromised or malicious, it could manipulate critical functions within ScrvusdVerifierV1, leading to potential loss of funds or incorrect oracle data.

Remediation: Implement strict access controls and validate the authenticity of external contracts before interaction. Consider using known, trusted addresses and incorporating mechanisms to update these addresses securely.

2. Lack of Input Validation in Oracle Update

File: ScrvusdVerifierV1.sol
Line: 29
Code:

Description: The update_price function accepts parameters without validating their ranges or formats. Malicious or erroneous inputs could lead to incorrect price updates, affecting the stability and reliability of the system.

Remediation: Implement comprehensive input validation to ensure that all parameters meet expected ranges and formats before processing.

3. Double Application of Deleverage Factor

File: MarketMakingEngine.sol
Line: 158, 288
Code:

Description: The getAdjustedProfitForMarketId function applies the deleverage factor, but the value is then passed to withdrawUsdTokenFromMarket, where the deleverage factor is applied again. This results in fewer USD tokens being transferred than expected, leading to financial discrepancies.

Remediation: Ensure that the deleverage factor is only applied once. Modify withdrawUsdTokenFromMarket to accept the correct PNL value without reapplying the deleverage factor.