Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Adversary can potentially manipulate the price for multiple consecutive block causing consecutive blocks price swings using flashloan

helium

Summary

The problem is with the update_price function, which updates the price based on external data. If this data comes from a source that can be influenced by flash loans ( and it does comes from ethereum onchain), an attacker can change the price for a short time and trick the system into accepting a false value.
The system tries to limit sudden price changes using a smoothing method (_smoothed_price), but this only slows down manipulation—it doesn't stop it completely. If an attacker repeats the trick multiple times, they can gradually push the price up or down, making money unfairly.
Instead of making one big change, the attacker makes small price changes over several blocks to reach their target price.

def update_price(

_parameters: uint256[ALL_PARAM_CNT], _ts: uint256, _block_number: uint256

) -> uint256:

"""

@notice Update price using `_parameters`

@param _parameters Parameters of Yearn Vault to calculate scrvUSD price

@param _ts Timestamp at which these parameters are true

@param _block_number Block number of parameters to linearize updates

@return Absolute relative price change of final price with 10^18 precision

"""

access_control._check_role(PRICE_PARAMETERS_VERIFIER, msg.sender)

# Allowing same block updates for fixing bad blockhash provided (if possible)

assert self.last_block_number <= _block_number, "Outdated"

self.last_block_number = _block_number

self.last_prices = [self._price_v0(), self._price_v1(), self._price_v2()]

self.last_update = block.timestamp

ts: uint256 = self.price_params_ts

current_price: uint256 = self._raw_price(ts, ts)

self.price_params = PriceParams(

total_debt=_parameters[0],

total_idle=_parameters[1],

total_supply=_parameters[2],

full_profit_unlock_date=_parameters[3],

profit_unlocking_rate=_parameters[4],

last_profit_update=_parameters[5],

balance_of_self=_parameters[6],

)

self.price_params_ts = _ts

new_price: uint256 = self._raw_price(_ts, _ts)

log PriceUpdate(new_price, _ts, _block_number)

if new_price > current_price:

return (new_price - current_price) * 10**18 // current_price

return (current_price - new_price) * 10**18 // current_price

Vulnerability Details

Flash loans let an attacker borrow and return large amounts of money in one transaction, meaning they don’t need their own capital.
Even though there’s a limit on how much the price can change in one update, the attacker can perform multiple small updates to slowly force the price in their favor.If the update_price function depends on values like total_debt, total_idle, or balance_of_self, the attacker can temporarily control these values using flash loans.Each time they do this, they can trade at a manipulated price, making a profit step by step.

Key Takeaways:

✅ The system prevents sudden price jumps, but small changes over time are still a problem.
✅ Flash loans let attackers do this repeatedly without needing their own money.
✅ A better price-checking system, like TWAP (Time-Weighted Average Price) or using multiple data sources, can help stop this attack.

Here is how the attcks can be performed . Please note that it is difficult to write any PoC for this codebase because i couldn't even install the project without errors and couldn't run any test and the time span is very short

1️⃣ The attacker takes a large flash loan in scrvUSD or another related asset.
2️⃣ They move liquidity to change key values like total_debt, total_idle, or total_supply, which affects the price.
3️⃣ They trigger update_price, forcing the system to accept a fake high or low price.
4️⃣ The price doesn’t reset immediately due to the smoothing system, so it stays manipulated.
5️⃣ The attacker repays the flash loan and profits from the manipulated price.
6️⃣ They repeat the process multiple times to slowly shift the price where they want it.

Impact

Market manipulation: Attackers can slowly push prices up or down.
Unfair profits: They buy low and sell high by forcing price changes in their favor.
Losses for honest users: Regular users may end up buying at an unfairly high price or selling too low.

Tools Used

Manual review

Recommendations

Use TWAP (Time-Weighted Average Price): This makes it harder to manipulate prices in one block.
Check multiple data sources: Instead of relying on one source, compare data from different places.
Limit rapid updates: Prevent users from updating the price too many times in a short period.

Updates

Lead Judging Commences

0xnevi Lead Judge

5 months ago

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.