Storage Slot Hardcoding
Summary
Verifier contracts hardcode storage slots for scrvUSD parameters, risking failure if the original contract's storage layout changes.
Vulnerability Details
ScrvusdVerifierV1.sol uses fixed slots (e.g., total_debt at slot 21). If scrvUSD upgrades and modifies storage layout, proofs will extract incorrect values.
Impact
Oracle returns invalid prices, enabling pool manipulation or LP losses.
Tools Used
Manual review
Recommendations
Dynamically compute slots using keccak256 hashing:
Lead Judging Commences
[invalid] finding-upgradeable-verifier-contracts
Invalid, - srCRVUSD is a minimal proxy, meaning it can never by upgraded, see [here](https://www.cyfrin.io/blog/upgradeable-proxy-smart-contract-pattern#:~:text=Minimal%20proxies%20are%20distinct%20from,provide%20upgrade%20or%20authorization%20functionality.) and [here](https://www.rareskills.io/post/eip-1167-minimal-proxy-standard-with-initialization-clone-pattern) for more info. - Even if srcrvUSD is migrated in the future via a new minimal proxy contract deployment (which is highly unlikely), the verifier contracts can be migrated along with it via revoking the access-control within the `ScrvusdOracleV2.vy` and then granting access to a new oracle. This is also not within the scope of this contest.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.