Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

`total_supply` is deducted in a wrong way that causes drain of pool

bladesec

Title

total_supply is deducted in a wrong way that causes drain of pool

Summary

_obtain_price_params function in the ScrvusdOracleV2 contract introduces a critical vulnerability due to the exponential reduction of total_supply during calculations. This flaw can lead to wrong price calculations over time, subsequently allowing malicious actors to exploit the mispricing and drain pools.

Vulnerability Details

https://github.com/CodeHawks-Contests/2025-03-curve/blob/main/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L266

The issue lies in the _obtain_price_params function, where total_supply is reduced over time as each iteration of the loop without minimum bounds.
Specifically, the reduction formula in below code section lets total_supply to decrease exponentially over time. This could possibly leads to inaccurate price calculations.

def _obtain_price_params(parameters_ts: uint256) -> PriceParams:

"""

...

# functions are reduced from `VaultV3._process_report()` given assumptions with constant gain

for _: uint256 in range(number_of_periods, bound=MAX_V2_DURATION):

new_balance_of_self: uint256 = (

params.balance_of_self

* (params.total_supply - params.balance_of_self) // params.total_supply

)

>> params.total_supply -= (

params.balance_of_self * params.balance_of_self // params.total_supply

)

params.balance_of_self = new_balance_of_self

if params.full_profit_unlock_date > params.last_profit_update:

# copy from `VaultV3._process_report()`

params.profit_unlocking_rate = params.balance_of_self * MAX_BPS_EXTENDED // (

params.full_profit_unlock_date - params.last_profit_update

)

else:

params.profit_unlocking_rate = 0

params.full_profit_unlock_date += number_of_periods * period

params.last_profit_update += number_of_periods * period

return params

Impact

Due to drastical incorrect price calculations, it could lead to

exploitation by malicious actors to drain pools relying on this oracle
loss of funds for liquidity providers and potential destabilization of the ecosystem.

Recommendations

Possibly we can resolve by

set min boundary on total_supply deduction
set limitation on max_v2_duration to reduce the implication

Updates

Lead Judging Commences

0xnevi Lead Judge

5 months ago

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.