Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Wrong Calculation for MAX_V2_DURATION.

akioniace

Summary

Wrong Calculation for MAX_V2_DURATION.

Vulnerability Details

When ScrvUSDOracleV2 Deploy contract and contracts constant variable set and can't be changed, MAX_V2_DURATION variable set the Maximum Duration for V2 in weeks. and if we do look at the ScrvusdOracleV2::MAX_V2_DURATION it sets the value 4 * 12 * 4 which is equal to the 192 Since this constant variable set the duration in weeks and looking at the netspec comment it says 4 Year official docs.

MAX_V2_DURATION: constant(uint256) = 4 * 12 * 4 # 4 years @audit-issue - 4 * 12 * 4 = 192 weeks

  • 1 year = 52 weeks

  • 4 years = 4 × 52 = 208 weeks

That gives you a total of 208 weeks in 4 years. But If we look at the MAX_V2_DURATION in ScrvUSDOracleV2.vy it is 192 weeks, which is equal to the 3 years, 8 months and 8 days.

Months: Multiply the decimal part (0.69) by 12 (since there are 12 months in a year):

  • 0.69 × 12 = 8.28 months (which is about 8 months).

Days: Now, take the decimal part of 8.28 months (which is 0.28) and convert it into days. Since an average month has about 30 days:

  • 0.28 × 30 = 8.4 days (about 8 days).

3.69 years is roughly 3 years, 8 months, and 8 days, instead of the 208 weeks.

Obtain Price Wont return correct price and Give Only Price which is in range from startRange - number_of_periods to endRange - MAX_V2_DURATION see here.

# @File: https://github.com/CodeHawks-Contests/2025-03-curve/blob/main/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L261
for _: uint256 in range(number_of_periods, bound=MAX_V2_DURATION): # @audit-issue - only range from number_of_periods to 192 Weeks

Impact

Raw Price Calculation will not give correct Price, because it only bounds to 192 weeks.

Tools Used

  • Manual Review

Recommended Mitigation

Set the Correct week for MAX_V2_DURATION in ScrvusdOracleV2.vy

-MAX_V2_DURATION: constant(uint256) = 4 * 12 * 4 # 4 years
+MAX_V2_DURATION: constant(uint256) = 208 # 4 years
Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[invalid] finding-MAX_V2_DURATION

This is simply an approximation. I don't believe there is any incorrect logic here, given as long as this duration of growth is consistently applied, there will arguably be no incorrect oracle prices here. Additionally, I highly doubt there will be a instance where 48 weeks has passed since the last update.

Appeal created

akioniace Submitter
11 months ago
0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[invalid] finding-MAX_V2_DURATION

This is simply an approximation. I don't believe there is any incorrect logic here, given as long as this duration of growth is consistently applied, there will arguably be no incorrect oracle prices here. Additionally, I highly doubt there will be a instance where 48 weeks has passed since the last update.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!