Summary

Wrong Calculation for MAX_V2_DURATION.

Vulnerability Details

When ScrvUSDOracleV2 Deploy contract and contracts constant variable set and can't be changed, MAX_V2_DURATION variable set the Maximum Duration for V2 in weeks. and if we do look at the ScrvusdOracleV2::MAX_V2_DURATION it sets the value 4 * 12 * 4 which is equal to the 192 Since this constant variable set the duration in weeks and looking at the netspec comment it says 4 Year official docs.

• 1 year = 52 weeks

• 4 years = 4 × 52 = 208 weeks

That gives you a total of 208 weeks in 4 years. But If we look at the MAX_V2_DURATION in ScrvUSDOracleV2.vy it is 192 weeks, which is equal to the 3 years, 8 months and 8 days.

Months: Multiply the decimal part (0.69) by 12 (since there are 12 months in a year):

• 0.69 × 12 = 8.28 months (which is about 8 months).

Days: Now, take the decimal part of 8.28 months (which is 0.28) and convert it into days. Since an average month has about 30 days:

• 0.28 × 30 = 8.4 days (about 8 days).

3.69 years is roughly 3 years, 8 months, and 8 days, instead of the 208 weeks.

Obtain Price Wont return correct price and Give Only Price which is in range from startRange - number_of_periods to endRange - MAX_V2_DURATION see here.

Impact

Raw Price Calculation will not give correct Price, because it only bounds to 192 weeks.

Tools Used

• Manual Review

Recommended Mitigation

Set the Correct week for MAX_V2_DURATION in ScrvusdOracleV2.vy