Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

`profit_max_unlock_time` Parameter Can Be Updated With No Restrictions, Causing Price Discrepancies

0xterrah

Relevant GitHub Links

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L334-L348

Summary

The ScrvusdOracleV2.vy contract allows updating the profit_max_unlock_time parameter with no restrictions or transition handling. This can lead to significant discrepancies between the calculated oracle prices and actual scrvUSD vault prices, potentially disrupting cross-chain stableswap pools.

Vulnerability Details

The profit_max_unlock_time parameter is crucial for calculating how profits are unlocked over time in the scrvUSD vault simulation. The contract includes an update_profit_max_unlock_time function that allows an address with the UNLOCK_TIME_VERIFIER role to change this value:

@external
def update_profit_max_unlock_time(_profit_max_unlock_time: uint256, _block_number: uint256) -> bool:
"""
@notice Update price using `_parameters`
@param _profit_max_unlock_time New `profit_max_unlock_time` value
@param _block_number Block number of parameters to linearize updates
@return Boolean whether value changed
"""
access_control._check_role(UNLOCK_TIME_VERIFIER, msg.sender)
# Allowing same block updates for fixing bad blockhash provided (if possible)
assert self.last_block_number <= _block_number, "Outdated"
self.last_block_number = _block_number
prev_value: uint256 = self.profit_max_unlock_time
self.profit_max_unlock_time = _profit_max_unlock_time
return prev_value != _profit_max_unlock_time

The issue is that there are no restrictions on what values can be set, and no mechanism to handle the transition between different unlock periods for profits that are already in the process of unlocking.

Impact

  1. A sudden change to profit_max_unlock_time can cause immediate and significant price discrepancies between the oracle and the actual scrvUSD vault.

  2. This affects cross-chain stableswap pools that rely on this oracle for accurate pricing of scrvUSD.

  3. Users may execute trades based on incorrect pricing, potentially leading to financial losses.

  4. If the change is drastic, it could create arbitrage opportunities that harm liquidity providers.

  5. Since this impacts price calculation, all three price versions (v0, v1, v2) would be affected, though to different degrees.

Tools Used

Manual code review

Recommendations

  1. Implement bounds checking for the profit_max_unlock_time parameter to prevent extreme values.

  2. Add a change limitation to prevent dramatic changes that could cause price shocks.

  3. Implement transition handling logic for in-progress profit unlocking when the parameter changes.

  4. Consider adding a timelock mechanism for parameter changes to allow users to prepare for upcoming changes.

  5. Require verification that the corresponding parameter has changed in the source contract before updating it in the oracle.

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
Assigned finding tags:

[invalid] finding-change-in-max-update-time-influence

This issue and its duplicates lack sufficient proof of the impact of a sudden change in `profit_max_unlock_time`. Both price parameters and `profit_max_unlock_time` can be adjusted immediately, However, the whole purpose of `_smoothed_price` is to limit sudden updates. This is performed when the raw price and last price is compared within the `_price_v0/v1/v2` function calls to limit price updates to `max_change` The slowed price lag can then be safely arbitrage as mentioned in the docs > Smoothing is introduced for sudden updates, so the price slowly catches up with the price, while the pool is being arbitraged safely. Though, smoothing limits the upper bound of price growth. Therefore, we consider that scrvUSD will never be over 60% APR.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.