Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Manipulable Profit Unlock Duration in Verifier V2

entrancesun

Summary

The ScrvusdVerifierV2 contract updates the profit unlocking duration (profit_max_unlock_time) using a period extracted from state proofs without sufficiently validating that the period falls within an expected range. Indirectly distorts the price simulation; requires specific conditions for exploitation.

Vulnerability Details

-The period value obtained from the state proof is not rigorously bounded; an attacker could supply an abnormally short or long duration.

-A manipulated profit unlock duration would distort the simulation of the vault’s growth rate, impacting how the oracle computes scrvUSD’s price.

Elaboration

The ScrvusdVerifierV2 contract updates the profit_max_unlock_time using a period extracted from state proofs. However, this period value is not strictly validated against expected or historical ranges, allowing an attacker to supply a manipulated period (e.g., significantly shorter than the typical duration). This manipulation can distort the vault’s simulated profit unlock schedule, affecting the scrvUSD price calculations.

Proof of Concept (PoC):

An attacker submits a state proof with a manipulated period value, reducing the profit_max_unlock_time from one week to one hour.

// Malicious RLP-encoded block header and state proof with manipulated period

bytes memory fakeBlockHeaderRLP = /* crafted RLP-encoded block header */;

bytes memory fakeStateProofRLP = /* crafted RLP-encoded state proof with short period */;

// Attacker calls verifyPeriodByBlockHash with malicious proofs

scrvusdVerifierV2.verifyPeriodByBlockHash(fakeBlockHeaderRLP, fakeStateProofRLP);

In this PoC, the attacker manipulates the profit unlock duration, causing the system to simulate rapid profit unlocking, inflating the scrvUSD price.

Impact

-An altered profit unlock duration skews the time-weighted price simulation, leading to an inaccurate scrvUSD price feed.

-This mispricing can be exploited to create arbitrage opportunities and result in financial losses for liquidity providers.

Tools Used

-Manual Code Review

-Reference to Solodit Checklist items addressing input validation for financial parameters

-Chat GPT o3-mini-high

Recommendations

-Enforce strict bounds on the extracted period value, ensuring it remains within an acceptable range based on historical data.

-Cross-verify any new period value with previous records or additional on-chain benchmarks before accepting the update.

-Log and potentially delay changes to profit unlock duration to allow for audit and intervention if anomalies are detected.

Updates

Lead Judging Commences

0xnevi Lead Judge

3 months ago

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.