Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

input validation

johnnycage

Summary

improper validation of the last_profit_update timestamp parameter

Vulnerability Details

valid_params = [

50 * 10**18, # total_debt (50)

50 * 10**18, # total_idle (50)

100 * 10**18, # total_supply (100)

initial_ts + 7*86400, # full_profit_unlock_date

0, # profit_unlocking_rate

2**256 - 1, # last_profit_update - overflow

0 # balance_of_self

]

Impact

Price Manipulation:
- Underflows in time delta calculations (ts - last_profit_update)
- Incorrect unlocked_shares leading to distorted pricePerShare
Protocol Insolvency Risk:
- Artificial inflation/deflation of scrvUSD value
- Enables draining liquidity pools through arbitrage
Permanent Corruption:
- Once invalid parameters are accepted, price calculations remain broken until manual intervention

Attack Scenario:

Attacker submits last_profit_update = 2^256-1 (max uint256)
Oracle accepts this due to missing upper bound checks
Future calculations using ts - last_profit_update underflow (since last_profit_update > ts)
unlocked_shares calculation returns garbage values

Tools Used

Manual Review

Recommendations

Reality Checks

MAX_PROFIT_RATE: constant(uint256) = 10**18 * 10**12 # 1e30

MAX_TIME_DELTA: constant(uint256) = 10**8 # ~3 years

# ==== NEW SAFETY CHECKS ====

# Validate profit_unlocking_rate

assert _parameters[4] <= MAX_PROFIT_RATE, "Profit rate exceeds max"

# Validate time parameters

assert _parameters[5] <= _ts, "Last update after timestamp"

assert _parameters[3] > _parameters[5], "Unlock date before update"

# Validate supply consistency

assert _parameters[2] > 0, "Zero total supply"

assert _parameters[6] <= _parameters[2], "Self balance exceeds supply"

# Validate debt/idle ratio

assert _parameters[0] + _parameters[1] <= 10**40, "Assets too high"

# ===========================

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

[invalid] finding-timestamp-underflow

This issues and duplicates are very similar to reasonings highlighted in issue #11. The timestamp variables are extracted and verified via the OOS `StateProofVerifier` contract inherited as `Verifier`. There is simply no concrete proof that the verifier allowed such an underflow to occur, representing stale price value updates.

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.