Hardcoded scrvusd address will break multi chain implemetation
Summary
Contracts are to be deployed accross multiple chains, but uses an hardcoded addresses.
Vulnerability Details
In ScrvusdVerifierV1,SCRVUSD is hardcoded. But the address is only valid on Ethereum mainnet.
According to the readme, the contracts are to be deployed on various EVMs, so upon contract deployment to other chains, SCRVUSD address will be incorrect breaking integration.
Impact
Integrations will break, and contract will be unusable. This is due to the use of the hash in _extractParametersFromProof and _extractPeriodFromProof in ScrvusdVerifierV1.sol and ScrvusdVerifierV2.sol respectively.
Tools Used
Manual Review
Recommendations
Consider passing the argument into the constructor instead, so it can be updated on a per chain basis.
Lead Judging Commences
[invalid] finding-hardcoded-srCRV-multi-chain
- Original scrvUSD exists only on mainnet – that's where it gets revenue. And these storage proofs are retrieved from Ethereum scrvUSD contract, meaning no other token deployment needed. - The point of using storage proofs is to port data from Ethereum to other networks. And storage proofs are just making it possible in a trustless manner wrt blockhash oracle.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.