Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: low

Valid

Missing Event for important state change.

akioniace

Summary

Missing Event for important state change.

Vulnerability Details

ScrvusdOracleV2::update_profit_max_unlock_time() in the ScrvusdOracleV2 contract do not emit event to log state changes. This omission reduces the transparency and traceability of these operations, which can hinder off-chain monitoring.

### @File: https://github.com/CodeHawks-Contests/2025-03-curve/blob/main/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L334-L348

@external

def update_profit_max_unlock_time(_profit_max_unlock_time: uint256, _block_number: uint256) -> bool:

"""

@notice Update price using `_parameters`

@param _profit_max_unlock_time New `profit_max_unlock_time` value

@param _block_number Block number of parameters to linearize updates

@return Boolean whether value changed

"""

access_control._check_role(UNLOCK_TIME_VERIFIER, msg.sender)

# Allowing same block updates for fixing bad blockhash provided (if possible)

assert self.last_block_number <= _block_number, "Outdated"

self.last_block_number = _block_number

prev_value: uint256 = self.profit_max_unlock_time

self.profit_max_unlock_time = _profit_max_unlock_time

# @audit-issue - missing event for profit_max_unlock_time

return prev_value != _profit_max_unlock_time

Impact

The absence of event emissions can lead to reduced transparency and traceability of important state changes within the smart contract ecosystem.

Tools Used

Manual Review

Recommended Mitigation

Consider adding event for this function to provide a clear on-chain record of when and by whom these actions were executed. This improves transparency and makes it easier to track changes.

+ event SetProfitMaxUnlockTime:

+ old_profit_max_unlock_time: uint256

+ new_profit_max_unlock_time: uint256

+ block_number: uint256

and emit in ScrvusdOracleV2::update_profit_max_unlock_time().

def update_profit_max_unlock_time(_profit_max_unlock_time: uint256, _block_number: uint256) -> bool:

"""

@notice Update price using `_parameters`

@param _profit_max_unlock_time New `profit_max_unlock_time` value

@param _block_number Block number of parameters to linearize updates

@return Boolean whether value changed

"""

access_control._check_role(UNLOCK_TIME_VERIFIER, msg.sender)

# Allowing same block updates for fixing bad blockhash provided (if possible)

assert self.last_block_number <= _block_number, "Outdated"

self.last_block_number = _block_number

prev_value: uint256 = self.profit_max_unlock_time

self.profit_max_unlock_time = _profit_max_unlock_time

+ log SetProfitMaxUnlockTime(prev_value, _profit_max_unlock_time, _block_number)

return prev_value != _profit_max_unlock_time

Updates

Lead Judging Commences

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-missing-event-emission-profit_max_unlock_time

I believe low severity to be appropriate here, events could be used to be more explicit for the upcoming effects on price for changes in max unlock time, similar to as included in `update_price` with the `PriceUpdate` event

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.