DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: low
Invalid

Division by Zero in Price Calculation When Vault Is Empty

Summary

The oracle price calculation functions assume that vault parameters—particularly the total supply—are nonzero. In the edge case where the vault is empty, divisions could occur with a zero denominator. Occurs only in the edge case of an empty vault, leading primarily to a denial-of-service scenario rather than direct funds loss.

Vulnerability Details

-Price calculation functions (e.g. in raw_price, price_v0, etc.) use vault state values (like total supply) as divisors without explicitly checking if they are zero.

-If no deposits exist in the vault, a division by zero may occur, leading to a revert or unintended behavior.

Elaboration

In the edge case where the vault is empty, divisions could occur with a zero denominator, leading to a division by zero error, causing a denial of service.​

Proof of Concept (PoC):

An attacker or user calls the raw_price function when the vault's total_supply is zero, leading to a division by zero error.​

// Assuming total_supply is zero
uint256 total_supply = 0;
uint256 total_debt = 1000 ether;
// Price calculation
uint256 price = total_debt / total_supply; // Division by zero occurs here

In this PoC, when total_supply is zero, calling the raw_price function results in a division by zero, causing the contract to throw an exception and potentially disrupting the protocol's operations.

Impact

-An empty vault could cause the oracle to fail in updating or providing a price, potentially resulting in a denial of service.

-Dependent contracts or liquidity pools relying on the oracle may receive inaccurate pricing data.

Tools Used

-Manual Code Review

-Edge-case analysis based on known ERC4626 patterns and Solodit Checklist best practices

-Chat GPT o3-mini-high

Recommendations

-Add explicit checks in all price calculation functions to detect if the vault’s total supply is zero.

-In such cases, either return a safe default (e.g. the last known lower-bound price) or revert with a clear error message.

-This ensures that division-by-zero errors are prevented and that the oracle behaves predictably in edge scenarios.

Updates

Lead Judging Commences

0xnevi Lead Judge
3 months ago
0xnevi Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

[invalid] finding-division-by-zero

Note that `total_supply` and `profit_unlocking_rate` is initially set to 1 and 0 respectively when the `ScrvusdOracleV2.vy` is deployed 1. `total_supply` and `profit_unlocking_rate` is part of the price param updates within `update_price`, which must have gone through verification via the OOS `StateProofVerifier` contract, so there is no evidence that a 0 supply is allowed either via a 0 supply update or an extremely high `profit_unlocking_rate`. 2. Since price is retrieved via values retrived from the V3Vault, if there is no supply, there is arguably no price to be posted. As such, reverting is arguably the correct choice since a 0 price value is not expected from scrvUSD, which is a stable coin.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.