Summary

The max_price_increment parameter is miscalculated, allowing price changes far exceeding the intended 63% APY cap.

Vulnerability Details

Affected Code:

• ScrvusdOracleV2.vy’s max_price_increment initialization and _smoothed_price logic:
  Code Snippet:

  # 2 * 10 ** 12 is equivalent to

  # 1) 0.02 bps per second or 0.24 bps per block on Ethereum

  # 2) linearly approximated to max 63% APY

  self.max_price_increment = 2 * 10**12
  # _smoothed_price calculation

  max_change: uint256 = (self.max_price_increment * time_diff * last_price) // 10**18

  ​

code: https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L95-L98

The comment says: "max_price_increment = 2 * 10**12 is equivalent to 0.02 bps per second or 0.24 bps per block on Ethereum (12s blocks), linearly approximated to max 63% APY"

Analysis:

• Units: The parameter uses fixed-point arithmetic with 10^18 precision.

• Per-Second Rate:
  2 * 10^12 / 10^18 = 2×10^(-6) (since 1 bps = 0.01%, 0.0002% per second, or 0.02 bps/sec).

• **Annualization: (**With 31,536,000 seconds in a year (365 * 24 * 60 * 60))
  0.0002% * 31,536,000 sec/year = 6307.2% . -> over 6000%

-> This represents linearly approximate to max 6307% APY

Critical Issue:
The comment claims "63% APY," but actual math reveals 6307% APY (100x higher).

Impact

This is a critical issue because the max_price_increment is supposed to prevent the oracle price from changing too rapidly, but the current setup allows for much larger changes than intended, making the smoothing ineffective and allowing price manipulation if updates are delayed.

Tools Used

Recommendations

Correct max_price_increment for 63% APY

Calculation:

• Target: 63% APY = 0.63 growth factor. ( linearly approximated)

• Per-second rate: 0.63 / 31,536,000 ≈ 2e-8 (0.002 bps/sec).

• Scaled value: 2e-8 * 1e18 = 20,000,000,000 (2e10).

Code Fix:

python