Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: low

Valid

Missing Initialization of `self.last_block_number` on deployment

bhorprakash

Summary

self.last_block_number Not Initialized in Constructor

In the __init__ function, the variable self.last_block_number is missing an initial value. This omission allows the first execution of update_price to pass even if _block_number is far lower than the current block number, potentially leading to outdated or incorrect price updates.

Description

Affected Function:

@deploy

def __init__(_initial_price: uint256):

The constructor initializes multiple parameters but does not set self.last_block_number.

Affected Code in `update_price`:

assert self.last_block_number <= _block_number, "Outdated"

Since self.last_block_number is not set during deployment, its initial value is undefined.
On the first call to update_price, this assertion will pass even if _block_number is outdated, leading to incorrect price updates.

Impact

Bypasses Block Number Check on First Update: Allows an outdated _block_number to be accepted.
Potential Manipulation: Malicious prover could exploit this to use older price parameters.
Inconsistent Price Updates: The system may start with an incorrect reference point, affecting future calculations.

Recommendation

Fix: Initialize `self.last_block_number` in the Constructor

Modify __init__ to include:

self.last_block_number = block.number

This ensures self.last_block_number starts with a valid reference and prevents outdated block numbers from being used during the first update.

Updates

Lead Judging Commences

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-block-number-not-initialized

I believe low to be appropriate, although could hear arguments for informational. The next `_block_number` for each price/max unlock time update will always be greater than the default zero, so the assertion of `assert self.last_block_number <= _block_number, "Outdated"` will pass without issue, but for consistency could be updated during deployment. Arguably at deployment, an update that has been verified via the verifier has not occur yet, so there would likely be no issues here given after the first correct update it will work as intended. The first update for price/profit max unlock time will also unlikely be outdated based on block number, which can be presumed to be true given this are extracted and verified within the OOS `StateProofVerifier`.

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.