Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Input Validation Leading to Division-by-Zero and Arithmetic Overflows

ngochungp295

Summary

The scrvUSD Oracle system lacks critical input validation checks, particularly for total_supply and price-related parameters. The system fails to validate critical inputs, such as ensuring that total_supply is greater than zero or that price ranges are within reasonable bounds.

Vulnerability Details

Code Locations:

ScrvusdOracleV2.vy:

def _raw_price(ts: uint256, parameters_ts: uint256) -> uint256:
return self._total_assets(parameters) * 10**18 // self._total_supply(parameters, ts)
No check for self._total_supply(...) > 0.
ScrvusdVerifierV1.sol: Accepts state proofs without validating parameter sanity (e.g., total_supply).

-> Missing guards for total_supply > 0 and valid price ranges.

Impact

Division-by-Zero: If total_supply = 0, _raw_price reverts, freezing the oracle and halting pool operations.
Systemic Risk: Entire protocol functionality depends on oracle reliability.

Tools Used

Recommendations

Input Validation:

Add checks in ScrvusdOracleV2.vy:

assert self._total_supply(parameters, ts) > 0, "Invalid total_supply"

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

[invalid] finding-division-by-zero

Note that `total_supply` and `profit_unlocking_rate` is initially set to 1 and 0 respectively when the `ScrvusdOracleV2.vy` is deployed 1. `total_supply` and `profit_unlocking_rate` is part of the price param updates within `update_price`, which must have gone through verification via the OOS `StateProofVerifier` contract, so there is no evidence that a 0 supply is allowed either via a 0 supply update or an extremely high `profit_unlocking_rate`. 2. Since price is retrieved via values retrived from the V3Vault, if there is no supply, there is arguably no price to be posted. As such, reverting is arguably the correct choice since a 0 price value is not expected from scrvUSD, which is a stable coin.

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.