Lack of Access Control in ScrvusdVerifierV1 and V2
Summary:
The ScrvusdVerifierV1 and ScrvusdVerifierV2 contracts lack access control on their external functions—specifically verifyScrvusdByBlockHash and verifyScrvusdByStateRoot in ScrvusdVerifierV1, and verifyPeriodByBlockHash and verifyPeriodByStateRoot in ScrvusdVerifierV2—allowing anyone to call them and process state proofs, which are then forwarded to ScrvusdOracleV2. While the oracle enforces role-based restrictions (PRICE_PARAMETERS_VERIFIER and UNLOCK_TIME_VERIFIER), the verifiers remain susceptible to spam and denial-of-service (DoS) attacks due to unrestricted access. This could lead to increased gas costs and potential delays for legitimate updates.
Vulnerability Details:
Affected Contracts and Functions:
ScrvusdVerifierV1
ScrvusdVerifierV2
ScrvusdVerifierV1: verifyScrvusdByBlockHash, verifyScrvusdByStateRoot.
ScrvusdVerifierV2: verifyPeriodByBlockHash, verifyPeriodByStateRoot.
Issue: These external functions have no access restrictions, allowing any address to trigger proof processing and call.
Impact:
Unrestricted calls to verifiers can consume gas via RLP parsing and external oracle calls.
Attackers can repeatedly call the verifier functions with large or malformed proofs, consuming significant gas
Tools Used:
Manual Testing
Recommendations:
Restrict function calls to authorized roles.
Lead Judging Commences
[invalid] finding-verify-functions-lack-access-control
Invalid, all state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier`, so there is no proof that a permisionless `verify`functions allow updating malicious prices
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.