DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: low
Invalid

Hardcoded scrvUSD Address in ScrvusdVerifierV1

Summary

The Verifier V1 contract hardcodes the scrvUSD contract address (0x0655977FEb2f289A4aB78af67BAB0d17aAb84367). If the scrvUSD contract is upgraded or redeployed, the Verifiers will read data from the wrong address.

Vulnerability Details

Hardcoding contract addresses creates a dependency on the specific deployment of the contract. If the scrvUSD contract is upgraded or redeployed, the Verifiers would need to be updated as well.

address constant SCRVUSD = 0x0655977FEb2f289A4aB78af67BAB0d17aAb84367;

Impact

The Verifiers become incompatible with scrvUSD upgrades, rendering the oracle unusable until the Verifiers are redeployed.

Tools Used

Manual Review

Recommendations

Allow the scrvUSD address to be updated via governance or admin functions.

Updates

Lead Judging Commences

0xnevi Lead Judge
5 months ago
0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.