Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Input Validation in Constructors Risking Contract Bricking

0xluckyluke

Summary

The constructors in ScrvusdVerifierV1 and ScrvusdVerifierV2 do not validate that the input addresses (_block_hash_oracle and _scrvusd_oracle) are non-zero. If zero addresses are passed, the contracts will be deployed in an unusable state, requiring redeployment and causing operational disruptions.

Vulnerability Details

The constructors in both verifier contracts accept two addresses (_block_hash_oracle and _scrvusd_oracle) but do not validate that these addresses are non-zero.

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV1.sol#L46-L50

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV2.sol#L21-L22

Impact

  • Contract Bricking: The contract becomes unusable if zero addresses are passed, requiring redeployment.

  • Operational Disruption: Downtime occurs while the issue is resolved, affecting dependent systems.

  • Gas Waste: Redeployment incurs additional gas costs.

Tools Used

Recommendations

Add zero-address checks in the constructors:

constructor(address _block_hash_oracle, address _scrvusd_oracle) {
require(_block_hash_oracle != address(0), "Invalid BlockHashOracle");
require(_scrvusd_oracle != address(0), "Invalid ScrvusdOracle");
BLOCK_HASH_ORACLE = _block_hash_oracle;
SCRVUSD_ORACLE = _scrvusd_oracle;
}

This ensures the contract cannot be deployed with invalid addresses, preventing bricking and operational disruptions.

Updates

Lead Judging Commences

0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!