Potential Division-by-Zero Error in _raw_price Calculation
Summary
The _raw_price() function in ScrvusdOracleV2.vy can revert due to a division-by-zero error if total_supply becomes equal to unlocked_shares. Currently, no explicit checks are implemented to handle this scenario safely.
Vulnerability Details
with:
If unlocked_shares equals total_supply, _total_supply becomes 0.
Vulnerability Conditions:
• All vault-owned locked shares have fully unlocked (balance_of_self == total_supply).
• full_profit_unlock_date <= current timestamp.
• No shares are held externally.
These conditions cause _total_supply to become zero, triggering a revert on price calculations.
Impact
• Protocol disruption due to reverted price updates.
• Inability to retrieve accurate price data during this scenario.
Tools Used
Manual audit
Recommendations
• Add explicit zero-check logic before division:
Alternatively, return a safe default value:
Lead Judging Commences
[invalid] finding-division-by-zero
Note that `total_supply` and `profit_unlocking_rate` is initially set to 1 and 0 respectively when the `ScrvusdOracleV2.vy` is deployed 1. `total_supply` and `profit_unlocking_rate` is part of the price param updates within `update_price`, which must have gone through verification via the OOS `StateProofVerifier` contract, so there is no evidence that a 0 supply is allowed either via a 0 supply update or an extremely high `profit_unlocking_rate`. 2. Since price is retrieved via values retrived from the V3Vault, if there is no supply, there is arguably no price to be posted. As such, reverting is arguably the correct choice since a 0 price value is not expected from scrvUSD, which is a stable coin.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.