Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Zero Address Check in ScrvusdVerifierV1 Constructor

sabanaku77

Summary

The constructor in ScrvusdVerifierV1.sol does not validate that _block_hash_oracle and _scrvusd_oracle are non-zero, allowing deployment with BLOCK_HASH_ORACLE or SCRVUSD_ORACLE as address(0). This can render verification functions (verifyScrvusdByBlockHash, verifyScrvusdByStateRoot) non-functional or ineffective, preventing price updates to ScrvusdOracleV2 and leaving scrvUSD prices stale.

Vulnerability Details

  • Constructor Code:

address public immutable BLOCK_HASH_ORACLE;
address public immutable SCRVUSD_ORACLE;
constructor(address _block_hash_oracle, address _scrvusd_oracle) {
BLOCK_HASH_ORACLE = _block_hash_oracle;
SCRVUSD_ORACLE = _scrvusd_oracle;
}

Lacks require(_block_hash_oracle != address(0)) or similar checks.

Impact

  • Verification

    • BLOCK_HASH_ORACLE = 0x0: Both functions revert—non-functional.

    • SCRVUSD_ORACLE = 0x0: Functions succeed but ScrvusdOracleV2 isn’t updated—stale prices.

Tools Used

  • Manual Review

Recommendations

  • Add validation

constructor(address _block_hash_oracle, address _scrvusd_oracle) {
require(_block_hash_oracle != address(0), "Invalid block hash oracle");
require(_scrvusd_oracle != address(0), "Invalid scrvusd oracle");
BLOCK_HASH_ORACLE = _block_hash_oracle;
SCRVUSD_ORACLE = _scrvusd_oracle;
}
Updates

Lead Judging Commences

0xnevi Lead Judge
5 months ago
0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.