Storage Slot Mismatch in ScrvusdVerifierV1
Summary
Incorrect storage slot mapping between the Vyper-based
scrvUSDoracle and the Solidity verifier contract.This mismatch causes the verifier to read incorrect data from storage, leading to corrupted price calculations.
Vulnerability Details
The Vyper contract (scrvUSD oracle) assigns storage slots sequentially to its variables:
The Solidity verifier (ScrvusdVerifierV1) incorrectly assumes slots for price_params start at Slot 21 instead of Slot 6:
total\_debt is read from Slot 21 (actual: Slot 6).
balance\_of\_self uses keccak256 (wrong; Vyper stores it at Slot 12 directly)
Vyper Storage Layout:
Variable | Slot
last_block_number - 0
last_prices[0] - 1
price_params.total_debt - 6
price_params.balance_of_self- 12
Solidity’s Incorrect Slots:
Parameter | Slot Used | Actual Slot
total_debt | 21 | 6
total_idle | 22 | 7
balance_of_self | keccak(...) | 12\
This mismatch causes the verifier to read unrelated data (e.g., other variables or empty slots), leading to garbage values.
Impact
Corrupted Price Data: Reading incorrect data, the prices it reports will be wrong and unreliable.
Broken Integrations: If the oracle is feeding bad data, these integrations will malfunction or break down.
Tools Used
Manual Code Review.
Vyper Storage Analysis.
Recommendations
Update PARAM_SLOTS in ScrvusdVerifierV1 to match Vyper’s actual slots.
Lead Judging Commences
[invalid] finding-incorrect-storage-slot-retrieval
See comments in primary finding in 239
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.