Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Possible Reorg Issues

ro1sharkm

Summary

The ScrvusdVerifierV1 contract does not enforce a minimum block confirmation delay for Ethereum blocks used in proofs. As a result, the system might fetch data from unfinalized Ethereum blocks .

Vulnerability details

The function verifyPeriodByBlockHash fetches state proof data directly from Ethereum without checking if the block has reached finality.
Ethereum blocks can be reorged, meaning the verifier might extract data from a block that later gets replaced.
Chains with faster finality (e.g., BSC, Avalanche) could incorporate unfinalized Ethereum block data causing inconsistencies in oracle updates.

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV1.sol#L54

Impact

Blockchains with different finality guarantees may store outdated or incorrect price information incase of reorgs.

Tools Used

Manual code review

Recommendations

Enforce a finality requirement before accepting Ethereum block data.

Updates

Lead Judging Commences

0xnevi Lead Judge

3 months ago

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.