The ScrvusdOracleV2 contract allows critical parameters (e.g. max_price_increment, profit_max_unlock_time, and max_v2_duration) to be adjusted via functions protected by the Snekmate access control module. However, this centralized control introduces risk if the roles are mismanaged or compromised. If critical roles are mismanaged or compromised, it can directly manipulate key pricing parameters.
-Functions like set_max_price_increment and set_max_v2_duration enable rapid adjustments to parameters that govern the smoothing and projection of the scrvUSD price.
-An attacker or malicious insider with access to these roles could set extreme values, thereby causing abrupt price changes that may be exploited.
The ScrvusdOracleV2 contract allows critical parameters (e.g., max_price_increment, profit_max_unlock_time, and max_v2_duration) to be adjusted via functions protected by the Snekmate access control module. However, this centralized control introduces risk if the roles are mismanaged or compromised. An attacker or malicious insider with access to these roles could set extreme values, thereby causing abrupt price changes that may be exploited.
An attacker with the DEFAULT_ADMIN_ROLE role sets the max_price_increment to an abnormally high value.
docs.curve.fi
In this PoC, the attacker increases the max_price_increment, allowing for rapid and large price changes, which can be exploited for profit.
-Drastic changes to these parameters can lead to extreme volatility in scrvUSD pricing, directly affecting cross-chain liquidity pools and financial products dependent on the oracle.
-This centralization risk could erode trust in the system and expose users to financial losses.
-Manual Code Review
-Analysis using the Solodit Checklist regarding centralization risks and access control vulnerabilities
-Chat GPT o3-mini-high
-Introduce multi-signature or timelock mechanisms for modifying these critical parameters to prevent unilateral changes.
-Regularly audit role assignments and enforce a governance process for parameter updates.
-Implement detailed logging and real-time alerts for any modifications to these parameters, facilitating rapid response to suspicious activity.
- Per [codehawks documentation](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid) - Parameter change is executed via the Dao per docs > Also, it is worth noting that the oracle is controlled by a DAO and its parameters can be changed by a vote.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.