Lack of Input Validation for _parameters Allows Invalid Calculations
Summary
The _parameters function lacks validation, allowing invalid inputs to cause incorrect calculations.
Vulnerability Details
The contract assumes
_parametersare always valid.
Malicious users can input extreme values to cause reverts or incorrect prices.
Impact
Denial-of-service attacks via reverts.
Incorrect price calculations from bad inputs.
Tools Used
Manual review
Recommendations
Validate inputs before processing.
Reject negative or zero values where inappropriate.
Lead Judging Commences
[invalid] finding-missing-proof-content-validation
- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.