Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Hardcoded PARAM_SLOTS may cause the `ScrvusdVerifierV1` contract to read and process invalid data

biakia

Summary

The vulnerability arises because PARAM_SLOTS is hardcoded in the ScrvusdVerifierV1 contract, assuming a fixed storage layout for the SCRVUSD contract. When SCRVUSD is upgraded, the storage slots of its variables may shift due to changes in the contract's structure (e.g., addition, removal, or reordering of variables). As a result, PARAM_SLOTS no longer points to the correct data, causing the ScrvusdVerifierV1 contract to read and process invalid information.

Vulnerability Details

The PARAM_SLOTS array in ScrvusdVerifierV1 is defined as follows

// Storage slots of parameters

uint256[PROOF_CNT] internal PARAM_SLOTS = [

uint256(0), // filler for account proof

uint256(21), // total_debt

uint256(22), // total_idle

uint256(20), // totalSupply

uint256(38), // full_profit_unlock_date

uint256(39), // profit_unlocking_rate

uint256(40), // last_profit_update

uint256(keccak256(abi.encode(18, SCRVUSD))) // balanceOf(self)

];

These slots are used to read data from the SCRVUSD contract. The SCRVUSD contract is upgradable. If the SCRVUSD contract is upgraded, it may change the storage layout of its variables. However, the ScrvusdVerifierV1 contract continues to use the old PARAM_SLOTS values, which no longer correspond to the correct variables. Depending on the use case, this could lead to:

Incorrect price updates.
Invalid parameter adjustments.
System failures or security vulnerabilities.

Impact

The impact is High, the likelihood is very Low, so the severity is Low.

Tools Used

Manual Review

Recommendations

Make PARAM_SLOTS configurable by adding a function to update its values. This allows the slots to be adjusted after SCRVUSD upgrades.

Updates

Lead Judging Commences

0xnevi Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

[invalid] finding-upgradeable-verifier-contracts

Invalid, - srCRVUSD is a minimal proxy, meaning it can never by upgraded, see [here](https://www.cyfrin.io/blog/upgradeable-proxy-smart-contract-pattern#:~:text=Minimal%20proxies%20are%20distinct%20from,provide%20upgrade%20or%20authorization%20functionality.) and [here](https://www.rareskills.io/post/eip-1167-minimal-proxy-standard-with-initialization-clone-pattern) for more info. - Even if srcrvUSD is migrated in the future via a new minimal proxy contract deployment (which is highly unlikely), the verifier contracts can be migrated along with it via revoking the access-control within the `ScrvusdOracleV2.vy` and then granting access to a new oracle. This is also not within the scope of this contest.

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.