Details:
The PERIOD_SLOT variable in the ScrvusdVerifierV2 contract is declared as an internal mutable state variable instead of a constant or immutable value. While no function currently exists that can alter this variable, its mutability leaves room for accidental changes in future code modifications or in derived contracts. If PERIOD_SLOT is modified, the contract may extract data from an incorrect storage slot, potentially leading to misinterpretation of the profit unlocking parameters.

Root Cause:
The variable was declared as a mutable internal state variable (uint256 internal PERIOD_SLOT = 37;) instead of using the constant or immutable keyword. This choice increases the risk of its value being inadvertently changed in future contract extensions or via inheritance.

Impact:
If PERIOD_SLOT is inadvertently modified, the extraction of the period value from the state proof could be based on an incorrect slot hash. This can lead to an incorrect value being used in the profit unlocking logic, potentially causing malfunctions in updating the oracle state or misrepresenting the contract’s internal state.

Recommendation:
Change the declaration of PERIOD_SLOT to use the constant keyword (or immutable if its value were to be set in the constructor) to prevent any modifications. This will enforce that the value remains fixed at compile time, thereby mitigating the risk of unintended modifications in the future.

Proof of Concept:
Consider a derived contract or future modification where PERIOD_SLOT is inadvertently updated:

In this scenario, an attacker or a flawed upgrade could change PERIOD_SLOT, causing the contract to extract slot values from an unintended storage location, leading to misbehavior in the period verification process. Using a constant would prevent such modifications entirely.