Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Denial-of-Service (DoS) via Excessive Loop Iterations

ngochungp295

Summary

A misconfigured max_v2_duration parameter allows gas-intensive loops in ScrvusdOracleV2.vy, causing transactions to exceed block gas limits and permanently halt price updates.

Vulnerability Details

Affected Code

1. Loop Structure in _obtain_price_params:

for _: uint256 in range(number_of_periods, bound=MAX_V2_DURATION):

# Modifies params in each iteration

new_balance_of_self: uint256 = (

params.balance_of_self * (params.total_supply - params.balance_of_self) // params.total_supply

)

params.total_supply -= (

params.balance_of_self * params.balance_of_self // params.total_supply

)

params.balance_of_self = new_balance_of_self

2. Configurable max_v2_duration:

MAX_V2_DURATION: constant(uint256) = 4 * 12 * 4 # 192 iterations

Root Cause

Gas Cost Per Iteration: Each loop iteration consumes ~20,000 gas due to storage writes and arithmetic operations.
Worst-Case Scenario:
192 iterations * 20,000 gas = 3,840,000 gas per transaction, exceeding Ethereum’s average per-block gas limit (~30M gas) and standard transaction gas limits (often set to 1-2M gas).

Impact

Price updates fail due to gas exhaustion, rendering the oracle unusable.

Tools Used

Manual Code Review
- Identified unbounded loop dependent on admin-controlled max_v2_duration.
Gas Estimation
- Calculated worst-case gas costs using Ethereum’s average opcode costs.

Recommendations

1. Cap `MAX_V2_DURATION` to Prevent Gas Exhaustion

Revised Code:

python

MAX_V2_DURATION: constant(uint256) = 50 # ~1M gas max (50 * 20k = 1M gas)

Updates

Lead Judging Commences

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[invalid] finding-incorrect-loop-bound

Invalid, `bound` here has a different meaning from Python's `range(a, b)`. It is a bound of maximum iterations, meaning the loop will only go to the bounded `MAX_V2_DURATION` when `number_of_periods >= MAX_V2_DURATION`

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.