Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Immutable Oracle Address Creates Upgrade Risk

yaioxy

Summary

The ScrvusdVerifierV1 and ScrvusdVerifierV2 contracts set the oracle address as immutable during construction, preventing any updates to the oracle if it becomes compromised, deprecated, or requires an upgrade. This design creates a rigid dependency that could force a complete redeployment of the verification system if oracle issues arise.

Vulnerability Details

In both verifier contracts, the oracle address is set as an immutable state variable:

address public immutable SCRVUSD_ORACLE;
constructor(address _block_hash_oracle, address _scrvusd_oracle)
{
BLOCK_HASH_ORACLE = _block_hash_oracle;
SCRVUSD_ORACLE = _scrvusd_oracle;
}

The verifier contracts rely on this oracle to update price information:

function _updatePrice(
uint256[PARAM_CNT] memory params,
uint256 ts,
uint256 number
) internal returns (uint256) {
return IScrvusdOracle(SCRVUSD_ORACLE).update_price(params, ts, number);
}

Once deployed, there's no mechanism to change this address if needed.

Impact

The immutable oracle design forces complete system redeployment if the oracle requires replacement, causing service disruptions

Tools Used

Manual review

Recommendations

Add admin/owner function to update the Oracle address

Updates

Lead Judging Commences

0xnevi Lead Judge
5 months ago
0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.