DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: high
Invalid

High Severity Findings

1. Untrusted External Contract Call

File: ScrvusdVerifierV1.sol
Line: 20
Code:

IScrvusdOracle public scrvusd_oracle;

Description: The contract interacts with an external oracle contract without validating its authenticity. If the external contract is compromised or malicious, it could manipulate critical functions within ScrvusdVerifierV1, leading to potential loss of funds or incorrect oracle data.

Remediation: Implement strict access controls and validate the authenticity of external contracts before interaction. Consider using known, trusted addresses and incorporating mechanisms to update these addresses securely.

2. Lack of Input Validation in Oracle Update

File: ScrvusdVerifierV1.sol
Line: 29
Code:

function update_price(uint256[PARAM_CNT] memory _parameters, uint256 _ts, uint256 _block_number) external returns (uint256);

Description: The update_price function accepts parameters without validating their ranges or formats. Malicious or erroneous inputs could lead to incorrect price updates, affecting the stability and reliability of the system.

Remediation: Implement comprehensive input validation to ensure that all parameters meet expected ranges and formats before processing.

3. Double Application of Deleverage Factor

File: MarketMakingEngine.sol
Line: 158, 288
Code:

UD60x18 adjustedProfitUsdX18 = marketMakingEngine.getAdjustedProfitForMarketId(
fuzzMarketConfig.marketId, profitUsd
);
marketMakingEngine.withdrawUsdTokenFromMarket(
fuzzMarketConfig.marketId, adjustedProfitUsdX18.intoUint256()
);

Description: The getAdjustedProfitForMarketId function applies the deleverage factor, but the value is then passed to withdrawUsdTokenFromMarket, where the deleverage factor is applied again. This results in fewer USD tokens being transferred than expected, leading to financial discrepancies.

Remediation: Ensure that the deleverage factor is only applied once. Modify withdrawUsdTokenFromMarket to accept the correct PNL value without reapplying the deleverage factor.

Updates

Lead Judging Commences

0xnevi Lead Judge
3 months ago
0xnevi Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.