Storage Proofs

Summary

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L359

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/oracles/ScrvusdOracleV2.vy#L373

The set_max_price_increment and set_max_v2_duration functions lack validation on input parameters, allowing an admin (intentionally or accidentally) to set unsafe values, leading to price manipulation or incorrect smoothing, which harms system stability.

Vulnerability Details

The set_max_price_increment and set_max_v2_duration functions in the ScrvusdOracleV2.vy contract are protected by the DEFAULT_ADMIN_ROLE, meaning only the admin can call these functions. However, there is no mechanism to validate whether the values set by the admin are safe or reasonable. Specifically:

1. set_max_price_increment:

   • This function sets the maximum allowed price increment for smoothing.

   • If the max_price_increment is set too high, the price smoothing mechanism becomes ineffective, allowing sharp price changes that could be exploited for arbitrage.

   • If the max_price_increment is set too low, the price smoothing mechanism becomes overly restrictive, leading to stale prices that do not reflect market conditions.

2. set_max_v2_duration:

   • This function sets the maximum duration for the V2 approximation.

   • If the max_v2_duration is set too high, the system may use outdated data for price calculations, leading to incorrect prices.

   • If the max_v2_duration is set too low, the system may not have enough data to accurately calculate prices, leading to instability.

The lack of validation on these parameters means that the admin (intentionally or accidentally) can set values that harm the system’s stability and reliability.

Impact

Case Scenario: Malicious Admin (Bob) and Victim (Alice)

Scenario Setup

• Bob is the admin of the ScrvusdOracleV2 contract and has the DEFAULT_ADMIN_ROLE.

• Alice is a liquidity provider who relies on the oracle for accurate price data.

• The max_price_increment is currently set to a safe value (e.g., 2 * 10**12), and the max_v2_duration is set to a reasonable value (e.g., 4 * 6 periods).

Step 1: Bob Sets Unsafe max_price_increment

• Bob calls the set_max_price_increment function and sets the max_price_increment to an extremely high value (e.g., 10**18).

• This effectively disables the price smoothing mechanism, allowing sharp price changes.

Step 2: Price Manipulation by Bob

• Bob exploits the lack of price smoothing to manipulate the scrvUSD price:

  • He triggers a large price change by submitting a transaction that significantly increases or decreases the price.

  • Since the max_price_increment is set too high, the price smoothing mechanism does not limit the price change, allowing the price to spike or drop sharply.

Step 3: Exploitation by Bob

• Bob uses the manipulated price to his advantage:

  • If the price is artificially inflated, Bob sells his scrvUSD holdings at the inflated price, making a profit.

  • If the price is artificially deflated, Bob buys scrvUSD at the deflated price, again making a profit.

• Bob’s actions are at the expense of other users, including Alice.

Step 4: Losses for Alice

• Alice, as a liquidity provider, relies on the oracle for accurate price data.

• Due to the manipulated price, Alice’s holdings are incorrectly valued:

  • If the price is inflated, Alice may overvalue her holdings and make poor financial decisions.

  • If the price is deflated, Alice may undervalue her holdings and suffer losses when trading or withdrawing funds.

Step 5: Bob Sets Unsafe max_v2_duration

• Bob calls the set_max_v2_duration function and sets the max_v2_duration to an extremely high value (e.g., MAX_V2_DURATION, which is 4 years).

• This causes the system to use outdated data for price calculations, leading to incorrect prices.

Step 6: Further Exploitation by Bob

• Bob exploits the incorrect prices caused by the outdated data:

  • He uses the stale prices to his advantage, buying or selling scrvUSD at prices that do not reflect the current market conditions.

• Again, Bob’s actions are at the expense of other users, including Alice.

Step 7: Losses for Alice

• Alice suffers further losses due to the incorrect prices caused by the outdated data:

  • She may make poor financial decisions based on the stale prices.

  • She may suffer losses when trading or withdrawing funds.

Tools Used

Manual Review

Recommendations

To fix this issue, the contract should implement validation on the max_price_increment and max_v2_duration parameters to ensure they fall within safe and reasonable ranges.