Incorrect Profit Unlocking Rate Calculation Allows Potential Mispricing and Arbitrage Opportunities in scrvUSD Pools
Summary
The obtain_price_params() function within the scrvUSD vault oracle logic continues to calculate a non-zero profit_unlocking_rate when params.full_profit_unlock_date has already passed but is still greater than params.last_profit_update. This behavior can lead to stale or inaccurate pricing parameters being returned to the system. The issue arises from a missing check that explicitly zeroes the unlocking rate when the full profit unlock period has already ended.
Vulnerability Details
The _obtain_price_params() function calculates the profit_unlocking_rate based on the difference between params.full_profit_unlock_date and params.last_profit_update. The logic currently checks;
However, this approach does not consider the case where the parameters_ts (the timestamp for which we are obtaining parameters) is already beyond the full_profit_unlock_date. In such scenarios:
The unlock period has already ended.
No additional profits should be unlocking.
Yet the system may still return a non-zero
profit_unlocking_rate.
Impact
The system may present an artificially high or incorrect unlocking rate for scrvUSD, which can lead to mispricing in liquidity pools that use oraclized prices for scrvUSD or liquidity providers being exposed to MEV extraction or impermanent loss.
Tools Used
Manual Review
Recommendation
Explicitly check if the current parameters_ts is greater than or equal to the full_profit_unlock_date. If it is, ensure the profit_unlocking_rate is zeroed:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.