Severity: Medium
Category: Access Control / Centralization Risk
Impact: Single admin can manipulate price movement constraints
Likelihood: High (requires only admin key compromise)
Contract: ScrvusdOracleV2.vy
Functions: set_max_price_increment
, set_max_v2_duration
Critical oracle parameters can be modified immediately by a single admin without any timelock or multi-signature requirement. While bounds are implemented, the admin still has significant control over price movement limitations.
Attacker compromises admin key
Sets max_price_increment
to maximum allowed value (10^18)
This allows sudden price movements up to 100% per second
Malicious actor exploits the increased price volatility in StableSwap pools
Results in potential drain of liquidity pools due to arbitrage opportunities
Implement a timelock mechanism for parameter updates:
Implement multi-signature requirement for parameter changes
Add emergency pause functionality
Further restrict parameter bounds based on pool economics
Implement gradual parameter updates over time
Impact: Medium - While bounds exist, parameter manipulation could still significantly impact pool operations
Likelihood: High - Single point of failure through admin key compromise
The issue is rated as Medium severity because:
Parameter bounds provide some protection
Changes are logged and transparent
Existing tests validate role-based access control
Documentation acknowledges DAO control
- Per [codehawks documentation](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid) - Parameter change is executed via the Dao per docs > Also, it is worth noting that the oracle is controlled by a DAO and its parameters can be changed by a vote.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.