Storage slot mismatch in ScrvusdVerifierV1 causes incorrect data retrieval and financial mispricing
Summary
A vulnerability in the `ScrvusdVerifierV1` contract on Optimism incorrectly retrieves data from the Yearn V3 Vault on Ethereum mainnet due to mismatched storage slots in the PARAM_SLOTS array. This leads to inaccurate data being sent to the oracle, affecting the scrvUSD token and dependent DeFi systems.
Vulnerability Details
The verifier contract on Optimism fetches storage slot values from the Yearn V3 Vault using the PARAM_SLOTS array. However, the slots listed (e.g., total_debt at slot 21) do not match the vault’s actual layout (e.g., total_debt at slot 10). For example:
Expected: total_debt (slot 10), total_supply (slot 9)
Actual in PARAM_SLOTS: total_debt (slot 21), total_supply (slot 20)
This mismatch causes the verifier to retrieve unrelated data (e.g., symbol instead of total_debt), corrupting the oracle’s output.
Impact
Mispricing of scrvUSD due to incorrect vault data.
DeFi systems relying on the oracle may trigger erroneous liquidations or reward miscalculations.
Tools Used
Manual code review
Recommendations
Align slots with the vault’s layout (e.g., total_debt to slot 10)
Lead Judging Commences
[invalid] finding-incorrect-storage-slot-retrieval
See comments in primary finding in 239
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.