Summary

This report identifies a low-severity vulnerability in the ScrvusdOracleV2.vy contract, specifically in the init function. The issue stems from an incorrect value assigned to max_price_increment, which does not align with the documented target of a maximum 63% Annual Percentage Yield (APY). Assuming the documentation is correct, the current implementation results in a significantly lower APY, affecting the price smoothing mechanism's intended behavior.

Vulnerability Details

The vulnerability is located in the __init__ function of the ScrvusdOracleV2.vy contract, where the max_price_increment variable is initialized. The comment states that a value of 2 * 10**12 corresponds to a maximum 63% APY, but calculations reveal that this value only achieves approximately 6.5% APY. Assuming the documented 63% APY is the intended target, the assigned value is incorrect.

Code Reference

Analysis

• Current Implementation:

  • max_price_increment = 2 * 10**12 defines the maximum price increase per second in the _smoothed_price function:

• Growth rate per second: 2 * 10^12 / 10^18 = 2 * 10^-6 (0.000002 or 0.02 bps).

• Seconds in a year: 365 * 24 * 60 * 60 = 31,536,000.

• APY with continuous compounding:

• Expected Value for 63% APY:

• Target APY: 63% → e^rate - 1 = 0.63.

• rate ≈ 0.4886 (yearly rate).

• Rate per second: 0.4886 / 31,536,000 ≈ 1.55 * 10^-5.

• Required max_price_increment: 1.55 * 10^-5 * 10^18 ≈ 1.55 * 10^13.

• Issue: The current value (2 * 10**12) is an order of magnitude too low to achieve the documented 63% APY, indicating an error in the code rather than the documentation.

Impact

• Reduced Price Adjustment Rate: With max_price_increment set to 2 * 10**12, the price smoothing mechanism caps the growth rate at approximately 6.5% APY instead of the intended 63%. This results in slower price adjustments than expected, potentially causing the oracle to lag behind real market conditions or vault profit growth.

• Misalignment with Design Intent: If the 63% APY is the correct target (as per the documentation), the current implementation fails to meet this goal, affecting the reliability of the oracle for applications expecting faster price convergence (e.g., StableSwap pools or other integrations).

Tools Used

• Manual code review

• Vyper syntax analysis

• Mathematical calculations for APY (using exponential growth formulas)

• No automated tools were used; the vulnerability was identified through logical analysis and verification of documented claims against code behavior.

Recommendations

To correct this vulnerability and align the contract with the documented 63% APY target, the following action is recommended:

Update max_price_increment Value:

• Adjust the initialization of max_price_increment in the __init__ function to reflect the correct value for 63% APY:

• This change increases the maximum price adjustment rate to approximately 1.55 * 10^-5 per second, achieving the intended 63% APY with continuous compounding.