Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Input Validation

softwared953

Summary

In ScrvusdOracleV2.vy, the function update_price have Lack of Input Validation.

Vulnerability Details

Function update_price: The function asserts that self.last_block_number <= _block_number. However, it does not validate other parameters, such as the length of _parameters. It might lead to an 'out of bounds' error if the provided array has fewer than ALL_PARAM_CNT values.

Impact

Tools Used

Vscode

Recommendations

def update_price(

_parameters: uint256[ALL_PARAM_CNT], _ts: uint256, _block_number: uint256

) -> uint256:

"""

@notice Update price using `_parameters`

@param _parameters Parameters of Yearn Vault to calculate scrvUSD price

@param _ts Timestamp at which these parameters are true

@param _block_number Block number of parameters to linearize updates

@return Absolute relative price change of final price with 10^18 precision

"""

access_control._check_role(PRICE_PARAMETERS_VERIFIER, msg.sender)

assert len(_parameters) == ALL_PARAM_CNT, "Invalid parameters length"

assert (

_parameters[0] >= 0 and _parameters[1] >= 0 and _parameters[2] > 0

), "Parameter values must be non-negative, total_supply must be positive"

assert self.last_block_number <= _block_number, "Outdated block number"

# Allowing same block updates for fixing bad blockhash provided (if possible)

self.last_block_number = _block_number

self.last_prices = [self._price_v0(), self._price_v1(), self._price_v2()]

self.last_update = block.timestamp

ts: uint256 = self.price_params_ts

current_price: uint256 = self._raw_price(ts, ts)

self.price_params = PriceParams(

total_debt=_parameters[0],

total_idle=_parameters[1],

total_supply=_parameters[2],

full_profit_unlock_date=_parameters[3],

profit_unlocking_rate=_parameters[4],

last_profit_update=_parameters[5],

balance_of_self=_parameters[6],

)

self.price_params_ts = _ts

new_price: uint256 = self._raw_price(_ts, _ts)

log PriceUpdate(new_price, _ts, _block_number)

if new_price > current_price:

return (new_price - current_price) * 10**18 // current_price

else:

return (current_price - new_price) * 10**18 // current_price

Updates

Lead Judging Commences

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

[invalid] finding-missing-proof-content-validation

- See [here]([https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle)](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#blockhash-oracle) on how it is used to verify storage variable - All state roots and proofs must be verified by the OOS `StateProofVerifier` inherited as `Verifier` (where the price values and params are extracted), so there is no proof that manipulating timestamp/inputs can affect a price update - It is assumed that the OOS prover will provide accurate data and the OOS verifier will verify the prices/max unlock time to be within an appropriate bound/values - There is a account existance check in L96 of `ScrvusdVerifierV1.sol`, in which the params for price updates are extracted from

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.