DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: medium
Invalid

Manipulable Profit Unlock Duration in Verifier V2

Summary

The ScrvusdVerifierV2 contract updates the profit unlocking duration (profit_max_unlock_time) using a period extracted from state proofs without sufficiently validating that the period falls within an expected range. Indirectly distorts the price simulation; requires specific conditions for exploitation.

Vulnerability Details

-The period value obtained from the state proof is not rigorously bounded; an attacker could supply an abnormally short or long duration.

-A manipulated profit unlock duration would distort the simulation of the vault’s growth rate, impacting how the oracle computes scrvUSD’s price.

Elaboration

The ScrvusdVerifierV2 contract updates the profit_max_unlock_time using a period extracted from state proofs. However, this period value is not strictly validated against expected or historical ranges, allowing an attacker to supply a manipulated period (e.g., significantly shorter than the typical duration). This manipulation can distort the vault’s simulated profit unlock schedule, affecting the scrvUSD price calculations.​

Proof of Concept (PoC):

An attacker submits a state proof with a manipulated period value, reducing the profit_max_unlock_time from one week to one hour.​

// Malicious RLP-encoded block header and state proof with manipulated period
bytes memory fakeBlockHeaderRLP = /* crafted RLP-encoded block header */;
bytes memory fakeStateProofRLP = /* crafted RLP-encoded state proof with short period */;
// Attacker calls verifyPeriodByBlockHash with malicious proofs
scrvusdVerifierV2.verifyPeriodByBlockHash(fakeBlockHeaderRLP, fakeStateProofRLP);

In this PoC, the attacker manipulates the profit unlock duration, causing the system to simulate rapid profit unlocking, inflating the scrvUSD price.

Impact

-An altered profit unlock duration skews the time-weighted price simulation, leading to an inaccurate scrvUSD price feed.

-This mispricing can be exploited to create arbitrage opportunities and result in financial losses for liquidity providers.

Tools Used

-Manual Code Review

-Reference to Solodit Checklist items addressing input validation for financial parameters

-Chat GPT o3-mini-high

Recommendations

-Enforce strict bounds on the extracted period value, ensuring it remains within an acceptable range based on historical data.

-Cross-verify any new period value with previous records or additional on-chain benchmarks before accepting the update.

-Log and potentially delay changes to profit unlock duration to allow for audit and intervention if anomalies are detected.

Updates

Lead Judging Commences

0xnevi Lead Judge
3 months ago
0xnevi Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.