Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Gas Griefing through Expensive Loop Iterations in `update_price()` Function

brene

Summary

The scrvUSDOracle smart contract includes an update_price() function that plays a critical role in maintaining up-to-date pricing information for a stablecoin protocol. However, this function contains a potentially expensive loop, which can iterate up to 192 times. Under specific conditions, this leads to gas griefing vulnerabilities, where the execution cost becomes excessively high, potentially rendering price updates unaffordable or infeasible. This scenario can disrupt the protocol's ability to update prices reliably, leaving the system vulnerable to stale pricing data and Denial of Service (DoS) threats.

Vulnerability Details

In the _obtain_price_params() function, called during update_price(), there is a loop used to compute the compounding gain from profits over several periods:

# functions are reduced from `VaultV3._process_report()` given assumptions with constant gain

for _: uint256 in range(number_of_periods, bound=MAX_V2_DURATION):

new_balance_of_self: uint256 = (

params.balance_of_self

* (params.total_supply - params.balance_of_self) // params.total_supply

)

params.total_supply -= (

params.balance_of_self * params.balance_of_self // params.total_supply

)

params.balance_of_self = new_balance_of_self

The loop runs for number_of_periods, which is capped by MAX_V2_DURATION. MAX_V2_DURATION is set to 4 * 12 * 4 (192 periods). This design means the function could execute 192 iterations in a single transaction.

Impact

High gas costs may discourage users from calling update_price(). Without timely updates, prices will stale, leading to incorrect oracle data. Smart contracts and DeFi applications relying on this oracle could malfunction, potentially locking user funds or mispricing assets.

Tools Used

Manual Review

Recommendations

Lower the upper bound for periods (currently set to 192). Evaluate whether the same functionality can be achieved with fewer periods or a different model.

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[invalid] finding-incorrect-loop-bound

Invalid, `bound` here has a different meaning from Python's `range(a, b)`. It is a bound of maximum iterations, meaning the loop will only go to the bounded `MAX_V2_DURATION` when `number_of_periods >= MAX_V2_DURATION`

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.