by setting max_price_increment to high, making `max_change` highly unrealistic and can destabilize the ecosystem.
Summary
In the scrvUSD protocol, setting max_price_increment too high can lead to rapid and excessive price adjustments. Since the protocol's price calculation logic depends on time gaps (block.timestamp - self.last_update) and scales with max_price_increment, an unusually large value can cause exponential price spikes. This may destabilize the oracle's reported price, potentially causing inaccurate valuations in the stableswap-ng pool.
Vulnerability Details
According to set_max_price_increment function max_price_increment can be set as high as 10 ** 18, which can leads to huge price spikes.
Let's break down the calculation step by step to see how max_change behaves when max_price_increment = 10**18.
Given Equation: max_change = max_price_increment×(block.timestamp−last_update)×last_price // 10 ** 18
let's assume:
block.timestamp - self.last_update = 300 seconds (5 minutes)
last_price = 1.01 * 10^{18}(assuming scrvUSD is slightly above $1 for realism)max_price_increment = 10^{18}
Calculation
max_change = 10^{18} × 300 × 1.01 × 10^{18} / 10^{18}
Step 1: Cancel out 10^18 in numerator and denominator
max_change = 300×1.01×10^18
Step 2: Multiply the remaining terms
max_change=303×10^18
Final Value
max_change = 303 * 10**18
In this example, the maximum allowable price change would be $303 in just 5 minutes — which is extremely high price spike.
Impact
Setting max_price_increment to 10**18 makes the system even more volatile and prone to manipulation.
and it break the invariant
Tools Used
Manual Review
Recommendations
consider adding an upper bound check in set_max_price_increment function` that does not exponentialy increase price.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.