Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Slot Existence Validation in ScrvusdVerifierV1’s Proof Extraction

sabanaku77

Summary

In ScrvusdVerifierV1.sol, the _extractParametersFromProof function extracts scrvUSD vault parameters from Ethereum state proofs but does not validate that the storage slots actually exist. This allows the function to proceed with zero values for missing or invalid slot proofs, passing potentially incorrect parameters to ScrvusdOracleV2.

Vulnerability Details

The issue lies in how ScrvusdVerifierV1 handles slot value extraction from state proofs without verifying their existence:

function _extractParametersFromProof(
bytes32 stateRoot,
bytes memory proofRlp
) internal view returns (uint256[PARAM_CNT] memory) {
RLPReader.RLPItem[] memory proofs = proofRlp.toRlpItem().toList();
require(proofs.length == PROOF_CNT, "Invalid number of proofs"); // PROOF_CNT = 8
Verifier.Account memory account = Verifier.extractAccountFromProof(
SCRVUSD_HASH,
stateRoot,
proofs[0].toList()
);
require(account.exists, "scrvUSD account does not exist");
// Extract slot values
uint256[PARAM_CNT] memory params; // PARAM_CNT = 7
for (uint256 i = 1; i < PROOF_CNT; i++) {
Verifier.SlotValue memory slot = Verifier.extractSlotValueFromProof(
keccak256(abi.encode(PARAM_SLOTS[i])),
account.storageRoot,
proofs[i].toList()
);
// Slots might not exist, but typically we just read them.
params[i - 1] = slot.value;
}
return params;
}

  • Parameters: PARAM_SLOTS = [0, 21, 22, 20, 38, 39, 40, keccak256(abi.encode(18, SCRVUSD))], mapping to [filler, total_debt, total_idle, totalSupply, full_profit_unlock_date, profit_unlocking_rate, last_profit_update, balanceOf(self)].

  • Behavior: If a slot proof is missing or invalid, extractSlotValueFromProof() returns slot.exists = false, slot.value = 0. V1 assigns this zero value to params without checking.

Impact

  • Price Distortion

  • stableswap-ng pools use this price, allowing users to buy scrvUSD cheap and redeem on Ethereum at 1.0.

Tools Used

  • Manual Code Review

Recommendations

  • Add Slot Existence Validation:

for (uint256 i = 1; i < PROOF_CNT; i++) {
Verifier.SlotValue memory slot = Verifier.extractSlotValueFromProof(
keccak256(abi.encode(PARAM_SLOTS[i])),
account.storageRoot,
proofs[i].toList()
);
require(slot.exists, "Slot proof missing or invalid");
params[i - 1] = slot.value;
}
Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-slot-not-check-verifierv1-v2

- Looking at the OOS `StateProofVerifier` and `MerklePatriciaProofVerifier` contract that extracts the slot, the `exists` flag will be flagged as true as long as a non-zero length value is returned as seen [here](https://github.com/curvefi/curve-xdao/blob/3ff77bd2ccc9c88d50ee42d2a746fc7648c7ff2c/contracts/libs/StateProofVerifier.sol#L133C13-L136). From the `MerklePatriciaProofVerifier.extractProofValue`, the minimum length returned will be 1 as represenetd by `bytes(0)`. So this seems to be purely a sanity check that might not even be required. - A slot with zero values is only allowed when the proof provided by the prover correctly proofs that such values are included within the Merkle-Patricia-Tree. The values fetched from mainnet from the V3Vault stored in the merkle trie is likely checked before hand and aggregated into the MerkleTree.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.