Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Centralization Risk via Adjustable Oracle Parameters

entrancesun

Summary

The ScrvusdOracleV2 contract allows critical parameters (e.g. max_price_increment, profit_max_unlock_time, and max_v2_duration) to be adjusted via functions protected by the Snekmate access control module. However, this centralized control introduces risk if the roles are mismanaged or compromised. If critical roles are mismanaged or compromised, it can directly manipulate key pricing parameters.

Vulnerability Details

-Functions like set_max_price_increment and set_max_v2_duration enable rapid adjustments to parameters that govern the smoothing and projection of the scrvUSD price.

-An attacker or malicious insider with access to these roles could set extreme values, thereby causing abrupt price changes that may be exploited.

Elaboration

The ScrvusdOracleV2 contract allows critical parameters (e.g., max_price_increment, profit_max_unlock_time, and max_v2_duration) to be adjusted via functions protected by the Snekmate access control module. However, this centralized control introduces risk if the roles are mismanaged or compromised. An attacker or malicious insider with access to these roles could set extreme values, thereby causing abrupt price changes that may be exploited.

Proof of Concept (PoC):

An attacker with the DEFAULT_ADMIN_ROLE role sets the max_price_increment to an abnormally high value.
docs.curve.fi

// Attacker sets max_price_increment to a high value

scrvusdOracleV2.set_max_price_increment(10**18); // 100% per second

In this PoC, the attacker increases the max_price_increment, allowing for rapid and large price changes, which can be exploited for profit.

Impact

-Drastic changes to these parameters can lead to extreme volatility in scrvUSD pricing, directly affecting cross-chain liquidity pools and financial products dependent on the oracle.

-This centralization risk could erode trust in the system and expose users to financial losses.

Tools Used

-Manual Code Review

-Analysis using the Solodit Checklist regarding centralization risks and access control vulnerabilities

-Chat GPT o3-mini-high

Recommendations

-Introduce multi-signature or timelock mechanisms for modifying these critical parameters to prevent unilateral changes.

-Regularly audit role assignments and enforce a governance process for parameter updates.

-Implement detailed logging and real-time alerts for any modifications to these parameters, facilitating rapid response to suspicious activity.

Updates

Lead Judging Commences

0xnevi Lead Judge

3 months ago

0xnevi Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] finding-centralization-risk

- Per [codehawks documentation](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid) - Parameter change is executed via the Dao per docs > Also, it is worth noting that the oracle is controlled by a DAO and its parameters can be changed by a vote.

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.