DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: low
Invalid

Lack of Input Validation Leading to Division-by-Zero and Arithmetic Overflows

Summary

The scrvUSD Oracle system lacks critical input validation checks, particularly for total_supply and price-related parameters. The system fails to validate critical inputs, such as ensuring that total_supply is greater than zero or that price ranges are within reasonable bounds.

Vulnerability Details

Code Locations:

  • ScrvusdOracleV2.vy:

    def _raw_price(ts: uint256, parameters_ts: uint256) -> uint256:
    return self._total_assets(parameters) * 10**18 // self._total_supply(parameters, ts)
  • No check for self._total_supply(...) > 0.

  • ScrvusdVerifierV1.sol: Accepts state proofs without validating parameter sanity (e.g., total_supply).

    -> Missing guards for total_supply > 0 and valid price ranges.

Impact

  • Division-by-Zero: If total_supply = 0, _raw_price reverts, freezing the oracle and halting pool operations.

  • Systemic Risk: Entire protocol functionality depends on oracle reliability.

Tools Used

Recommendations

Input Validation:

  • Add checks in ScrvusdOracleV2.vy:

    assert self._total_supply(parameters, ts) > 0, "Invalid total_supply"
Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

[invalid] finding-division-by-zero

Note that `total_supply` and `profit_unlocking_rate` is initially set to 1 and 0 respectively when the `ScrvusdOracleV2.vy` is deployed 1. `total_supply` and `profit_unlocking_rate` is part of the price param updates within `update_price`, which must have gone through verification via the OOS `StateProofVerifier` contract, so there is no evidence that a 0 supply is allowed either via a 0 supply update or an extremely high `profit_unlocking_rate`. 2. Since price is retrieved via values retrived from the V3Vault, if there is no supply, there is arguably no price to be posted. As such, reverting is arguably the correct choice since a 0 price value is not expected from scrvUSD, which is a stable coin.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.