Submission Details
Severity:
Incorrect Timestamp in verifyScrvusdByStateRoot
Summary
The verifyScrvusdByStateRoot function uses profit_unlocking_rate instead of last_profit_update. Here
Vulnerability Details
In the comment it is written use last_profit_update, but actually profit_unlocking_rate is used.
function verifyScrvusdByStateRoot(
uint256 _block_number,
bytes memory _proof_rlp
) external returns (uint256) {
bytes32 state_root = IBlockHashOracle(BLOCK_HASH_ORACLE).get_state_root(_block_number);
uint256[PARAM_CNT] memory params = _extractParametersFromProof(state_root, _proof_rlp);
// Use last_profit_update as the timestamp surrogate
return _updatePrice(params, params[5], _block_number);
}
PARAMS_SLOTS structure -
uint256[PROOF_CNT] internal PARAM_SLOTS = [
uint256(0), // filler for account proof
uint256(21), // total_debt
uint256(22), // total_idle
uint256(20), // totalSupply
uint256(38), // full_profit_unlock_date
uint256(39), // profit_unlocking_rate
uint256(40), // last_profit_update
uint256(keccak256(abi.encode(18, SCRVUSD))) // balanceOf(self)
];
Impact
Wrong timestamp used to update the price, may lead to over or under valuation instead of the actual valuation.
Tools Used
Manual Review
Recommendations
Use this -
return _updatePrice(params, params[6], _block_number);
Updates
Lead Judging Commences
0xnevi 3 months ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
[invalid] finding-params-5-wrong-extract
See primary comments in issue [228](https://codehawks.cyfrin.io/c/2025-03-curve/judging/228)
Prize pool breakdown
Total prize
14,723 OP
Eagles
1,472 OP
nSLOC
39437 OP / LOC
12,700
551
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.