The oracle price calculation functions assume that vault parameters—particularly the total supply—are nonzero. In the edge case where the vault is empty, divisions could occur with a zero denominator. Occurs only in the edge case of an empty vault, leading primarily to a denial-of-service scenario rather than direct funds loss.
-Price calculation functions (e.g. in raw_price, price_v0, etc.) use vault state values (like total supply) as divisors without explicitly checking if they are zero.
-If no deposits exist in the vault, a division by zero may occur, leading to a revert or unintended behavior.
In the edge case where the vault is empty, divisions could occur with a zero denominator, leading to a division by zero error, causing a denial of service.
An attacker or user calls the raw_price function when the vault's total_supply is zero, leading to a division by zero error.
In this PoC, when total_supply is zero, calling the raw_price function results in a division by zero, causing the contract to throw an exception and potentially disrupting the protocol's operations.
-An empty vault could cause the oracle to fail in updating or providing a price, potentially resulting in a denial of service.
-Dependent contracts or liquidity pools relying on the oracle may receive inaccurate pricing data.
-Manual Code Review
-Edge-case analysis based on known ERC4626 patterns and Solodit Checklist best practices
-Chat GPT o3-mini-high
-Add explicit checks in all price calculation functions to detect if the vault’s total supply is zero.
-In such cases, either return a safe default (e.g. the last known lower-bound price) or revert with a clear error message.
-This ensures that division-by-zero errors are prevented and that the oracle behaves predictably in edge scenarios.
Note that `total_supply` and `profit_unlocking_rate` is initially set to 1 and 0 respectively when the `ScrvusdOracleV2.vy` is deployed 1. `total_supply` and `profit_unlocking_rate` is part of the price param updates within `update_price`, which must have gone through verification via the OOS `StateProofVerifier` contract, so there is no evidence that a 0 supply is allowed either via a 0 supply update or an extremely high `profit_unlocking_rate`. 2. Since price is retrieved via values retrived from the V3Vault, if there is no supply, there is arguably no price to be posted. As such, reverting is arguably the correct choice since a 0 price value is not expected from scrvUSD, which is a stable coin.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.