Summary

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L295C1-L331C1

The update_price function does not validate the _ts parameter (timestamp) against the current block timestamp. This means that outdated or future timestamps can be used to update the price, which could lead to incorrect price calculations. Specifically:

• Outdated timestamps: Using a timestamp from the past could result in stale price data.

• Future timestamps: Using a timestamp from the future could manipulate the price in an unrealistic way.

This lack of validation undermines the reliability of the oracle and opens the door to potential manipulation.

Vulnerability Details

**Scenario Setup(Attack Scenario) **

• The current block timestamp is 1000.

• The current price of scrvUSD is 1.0 (normalized to 10**18).

• Bob is a malicious actor with the PRICE_PARAMETERS_VERIFIER role.

• Alice is a liquidity provider who relies on the oracle for accurate price data.

Step 1: Bob Submits a Future Timestamp

• Bob calls the update_price function with the following parameters:

  • _parameters: Valid price parameters.

  • _ts: 2000 (a timestamp in the future).

  • _block_number: The current block number.

• The function does not validate the _ts parameter, so it accepts the future timestamp.

Step 2: Price Update with Future Timestamp

• The update_price function calculates the new price based on the future timestamp (_ts = 2000).

• Since the future timestamp is used, the price calculation assumes that the system has progressed to that point in time, leading to an artificially inflated or deflated price.

• For example, if the price is expected to increase over time, the future timestamp could result in a much higher price than the current market price.

Step 3: Exploitation by Bob

• Bob uses the manipulated price to his advantage:

  • If the price is artificially inflated, Bob could sell his scrvUSD holdings at the inflated price, making a profit.

  • If the price is artificially deflated, Bob could buy scrvUSD at the deflated price, again making a profit.

• Bob’s actions are at the expense of other users, including Alice.

Step 4: Losses for Alice

• Alice, as a liquidity provider, relies on the oracle for accurate price data.

• Due to the manipulated price, Alice’s holdings are incorrectly valued:

  • If the price is inflated, Alice may overvalue her holdings and make poor financial decisions.

  • If the price is deflated, Alice may undervalue her holdings and suffer losses when trading or withdrawing funds.

Impact

Incorrect timestamps could result in stale or manipulated price data, undermining the oracle's reliability.

Tools Used

Manual Code Revieqw

Recommendations

To fix this issue, the update_price function should validate the _ts parameter to ensure it is within a reasonable range relative to the current block timestamp. For example:

1. Prevent Future Timestamps: Ensure that _ts is not greater than the current block timestamp.

2. Prevent Outdated Timestamps: Ensure that _ts is not too far in the past (e.g., within a few blocks or a predefined time window).