Incorrect change in ```params.total_supply``` when the ```params.balance_of_self``` is greater.
Summary
The vulnerability exist when params.balance_of_self is greater than params.total_supply due to forcefully sent amaount. Therefore when we implement the formula trying to reduce from params.total_supply will return zero. A mallicious attacker could exploit this attacking vector to prevent reducing the params.total_supply.
Vulnerability Details
Link to the vulnerability: https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L266
Impact
Example:
params.total_supply = 20 000
params.balance_of_self = 10 000
params.total_supply - 5 000 = 20 000 - 5 000 = 15 000 (Expected)
Now the attacker sends forcefully 10 500
params.total_supply = 20 000
params.balance_of_self = 20 500
params.total_supply- 21 012 = 20 000 - 21 012 = 0 ( total_supply remains 20 000)
Tools Used
Mannual review
Recommendations
Use safe checks before calculation:
Ensure that the subtraction does not result in underflow:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.