Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Input Validation in Constructors Risking Contract Bricking

0xluckyluke

Summary

The constructors in ScrvusdVerifierV1 and ScrvusdVerifierV2 do not validate that the input addresses (_block_hash_oracle and _scrvusd_oracle) are non-zero. If zero addresses are passed, the contracts will be deployed in an unusable state, requiring redeployment and causing operational disruptions.

Vulnerability Details

The constructors in both verifier contracts accept two addresses (_block_hash_oracle and _scrvusd_oracle) but do not validate that these addresses are non-zero.

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV1.sol#L46-L50

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV2.sol#L21-L22

Impact

  • Contract Bricking: The contract becomes unusable if zero addresses are passed, requiring redeployment.

  • Operational Disruption: Downtime occurs while the issue is resolved, affecting dependent systems.

  • Gas Waste: Redeployment incurs additional gas costs.

Tools Used

Recommendations

Add zero-address checks in the constructors:

constructor(address _block_hash_oracle, address _scrvusd_oracle) {
require(_block_hash_oracle != address(0), "Invalid BlockHashOracle");
require(_scrvusd_oracle != address(0), "Invalid ScrvusdOracle");
BLOCK_HASH_ORACLE = _block_hash_oracle;
SCRVUSD_ORACLE = _scrvusd_oracle;
}

This ensures the contract cannot be deployed with invalid addresses, preventing bricking and operational disruptions.

Updates

Lead Judging Commences

0xnevi Lead Judge
6 months ago
0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.