Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Cross chain arbitrage during price hikes on L1 due to price smoothing on L2

maroutis

Summary

In this oracle system, each new raw price received from L1 is clamped so it cannot deviate from the current on‐chain price beyond a specified increment. This smoothing is intended to protect against sudden large manipulations. However, if L1’s actual price changes quickly, it may take multiple incremental updates for the L2 price to “catch up.” During that time, an arbitrager can exploit the difference in the pool if they learn the new raw price before it’s fully reflected on L2.

Vulnerability Details

The _smoothed_price() calculates a max_change based on max_price_increment, time elapsed, and last_price. If the difference between raw_price and last_price exceeds max_change, it clamps the new price to the maximum allowed step:

@view

def _smoothed_price(last_price: uint256, raw_price: uint256) -> uint256:

# Calculate the maximum allowed change based on time elapsed and last_price

max_change: uint256 = (

self.max_price_increment

* (block.timestamp - self.last_update)

* last_price

// 10**18

)

# If raw_price differs from last_price by more than max_change,

# clamp it to last_price +/- max_change

if unsafe_sub(raw_price + max_change, last_price) > 2 * max_change:

if raw_price > last_price:

return last_price + max_change

else:

return last_price - max_change

# Otherwise return the raw_price as is

return raw_price

Attack scenario :
Assume a spike in price happened on L1. Due to the update limit on L2 :
Someone can purchase the underpriced scrvUSD on L2 (which is lagging behind the real price).
Bridge it back to L1, where it’s worth more (because the L1 price has jumped).
Sell or redeem for a profit.

Impact

Liquidity providers in the stableswap pool may suffer from arbitrage if the L2 oracle price is out of sync with the true L1 price for an extended period.
Attackers can exploit partial increments if they know a price jump is coming.

Tools Used

Manual review

Recommendations

Since the oracle updates every 30 minutes, having a brief cooldown on deposits/withdrawals right after an update will reduce the risk of users exploiting the price while it’s still lagging behind L1. This short delay should only be applied in case the raw_price spikes beyond max_change to reduce user inconvenience.

Updates

Lead Judging Commences

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] finding-cross-chain-price-latency-update-time-inconsistency

- I believe all issues do not provide a sufficient proof that this latency lags can cause a dangerous arbitrage - Sponsor Comments - There is no issues with small lags if used in liquidity pools for example because of fees. Fees generate spread within which price can be lagged. - Looking at the price charts [here](https://coinmarketcap.com/currencies/savings-crvusd/), there is never a large spike in price (in absolute values), that can be exploited, combined with the fact that prices are smoothed and updates are not immediate - Not even the most trusted oracles e.g. chainlink/redstone can guarantee a one-to-one synchronized value, so in my eyes, the price smoothening protection is sufficient in protecting such issues

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.