Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Missing Sequencer or Uptime Checker for Oracle Price Updates

0xshaedyw

Summary

The system relies on an oracle to provide price updates for scrvUSD. However, if the oracle goes down or fails to provide timely updates, the system could use stale prices, leading to incorrect trading or valuation of assets. A sequencer or uptime checker is needed to ensure that price updates are processed correctly and that stale prices are not used.

Vulnerability Details

The oracle is expected to provide price updates every 0.24 bps (basis points per second).
If the oracle fails or is delayed, the system continues to use the last known price (last_price[i]), which could become stale.
Without a sequencer or uptime checker, there is no mechanism to detect oracle downtime or switch to a fallback oracle.

Impact

Financial Losses: Trading or valuation based on stale prices could lead to financial losses for users.
Exploitation: Arbitrageurs could exploit the discrepancy between the actual price and the stale price.

Tools Used

Manual code review

Recommendations

Implement a mechanism to detect oracle downtime and trigger fallback behavior.

if block.timestamp - self.last_update > MAX_UPDATE_INTERVAL:

self.use_fallback_oracle()

Switch to a secondary oracle if the primary oracle fails or is delayed.

Updates

Lead Judging Commences

0xnevi Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Assigned finding tags:

[invalid] finding-missing-sequencer-check-stale-price

I believe this to be at best informational severity as - The moment sequencer is up again, the price updates that retrieve storage values from mainnet will be pushed. To note, price updates are retrieved from storage proofs are retrieved from Ethereum scrvUSD contract, so the concept of the next updated price being outdated is not possible, given mainnet does not utilize sequencers. - There are no problems with small lags if used in liquidity pools due to fees. Fees generate spread within which price can be lagged. - All price updates are subjected to smoothing, and as you can see from the historical price movements as seen [here](https://coinmarketcap.com/currencies/savings-crvusd/), there is never a large discrepancy in prices (absolute terms), and even more unlikely given sequencer downtimes will unlikely be long. This small price changes can be safely arbitrage aligning with [protocol design](https://github.com/CodeHawks-Contests/2025-03-curve?tab=readme-ov-file#parameters) , along with the above mentioned fees - Combined with the above, the max price increments can be temporarily increased to more effectively match the most updated price.

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.