Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Assumptions in Calc Logic

softwared953

Summary

In function _obtain_price_params of ScrvusdOracleV2.vy, there are assumptions about past states being valid. If a timestamp is ever set or accessed incorrectly, this calculation may falter.

Vulnerability Details

Impact

Tools Used

Vscode

Recommendations

def _obtain_price_params(parameters_ts: uint256) -> PriceParams:

"""

@notice Obtain Price parameters true or assumed to be true at `parameters_ts`.

Assumes a constant gain (in crvUSD rewards) throughout distribution periods.

@param parameters_ts: Timestamp to obtain parameters for

@return: Assumed `PriceParams`

"""

params: PriceParams = self.price_params

period: uint256 = self.profit_max_unlock_time

# Validate the parameters_ts

require(parameters_ts <= current_block_timestamp(), "Timestamp cannot be in the future")

require(params.last_profit_update <= parameters_ts, "Timestamp is earlier than last update")

if params.last_profit_update + period >= parameters_ts:

return params # Return early if no updates are needed

number_of_periods: uint256 = min(

(parameters_ts - params.last_profit_update) // period,

self.max_v2_duration,

)

# Calculate locked shares at the time params.last_profit_update

gain: uint256 = (

params.balance_of_self * (params.total_idle + params.total_debt) // params.total_supply

)

params.total_idle += gain * number_of_periods

# Adjust totals for the number of periods

for _ in range(number_of_periods):

new_balance_of_self: uint256 = (

params.balance_of_self

* (params.total_supply - params.balance_of_self) // params.total_supply

)

params.total_supply -= (

params.balance_of_self * params.balance_of_self // params.total_supply

)

params.balance_of_self = new_balance_of_self

# Calculate profit unlocking rate

if params.full_profit_unlock_date > params.last_profit_update:

params.profit_unlocking_rate = (params.balance_of_self * MAX_BPS_EXTENDED) // (

params.full_profit_unlock_date - params.last_profit_update

)

else:

params.profit_unlocking_rate = 0

# Update the unlock date and the last profit update

params.full_profit_unlock_date += number_of_periods * period

params.last_profit_update += number_of_periods * period

return params

Updates

Lead Judging Commences

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.