Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Input Validation for _extractParametersFromProof

asar

Summary

The function _extractParametersFromProof extracts storage slot values from a provided state proof. However, it does not perform sufficient validation to ensure the extracted values are within expected bounds, making the system vulnerable to incorrect or manipulated data being stored and used in price updates.

Vulnerability Details

The function _extractParametersFromProof processes state proofs by iterating through a list of extracted storage slots.
There are no explicit validation checks to ensure that the extracted values are within expected ranges or follow expected data formats.
If an attacker submits a malformed or manipulated proof, the contract might extract and use incorrect values, leading to invalid price calculations.
The contract assumes that the provided proof is always correct if it passes basic structural checks, without verifying the plausibility of extracted parameters.

Impact

If an attacker submits an invalid or out-of-bounds value, the oracle could accept and store an incorrect price update.
Users relying on the price feed might execute trades or lending operations based on manipulated data, resulting in financial loss.
The incorrect price could propagate across multiple DeFi protocols, leading to systemic risks within the ecosystem.

Tools Used

manauly

Recommendations

Implement strict validation checks for extracted storage values to ensure they match expected data types and fall within predefined ranges.
Introduce sanity checks on extracted values before using them in price calculations.
Implement logging and monitoring to detect anomalies in state proof extraction and reject suspicious inputs.

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

[invalid] finding-missing-proof-content-validation

- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.