Storage Proofs

Vulnerability Details

• The _updatePrice function calls update_price on SCRVUSD_ORACLE, an external contract, without applying reentrancy protection.

• If SCRVUSD_ORACLE is malicious or compromised, it could implement a fallback function that calls back into the verifier contract before the original execution completes.

• This could result in multiple unintended updates or the exploitation of a race condition.

• The lack of a nonReentrant modifier or other state management controls makes the contract susceptible to reentrant attacks.

Impact

• If exploited, an attacker could repeatedly invoke _updatePrice in a single transaction, potentially causing incorrect price updates.

• This could lead to price manipulation, creating opportunities for arbitrage or draining liquidity pools.

• A compromised oracle contract could force the verifier contract into an inconsistent state, leading to incorrect price calculations.

Tools Used

manualy

Recommendations

• Introduce a reentrancy guard (nonReentrant modifier) to prevent recursive calls.

• Ensure atomicity of price updates by structuring external calls at the end of the function.

• Consider using a checks-effects-interactions pattern to mitigate risks associated with external contract calls.

• Implement additional sanity checks to detect unexpected recursive execution attempts.