Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

wrong storage slot in the scrvUSD contract’s state

cipherhawk

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV2.sol#L69-L72


In ScrvusdVerifierV2, the _extractPeriodFromProof function attempts to extract the value of the plain storage variable profit_max_unlock_time (stored at slot 37) by computing its key as follows:

Verifier.SlotValue memory slot = Verifier.extractSlotValueFromProof(
keccak256(abi.encode(PERIOD_SLOT)),
account.storageRoot,
proofs[1].toList()
);

However, for a plain storage variable (i.e. one not in a mapping), the correct storage key in Ethereum’s state trie is simply the 32‑byte, left‑padded representation of the slot number:

bytes32(PERIOD_SLOT)

—not the hash of its ABI-encoded value.

https://github.com/CodeHawks-Contests/2025-03-curve/blob/198820f0c30d5080f75073243677ff716429dbfd/contracts/scrvusd/verifiers/ScrvusdVerifierV2.sol#L69-L72

The use of keccak256(abi.encode(PERIOD_SLOT)) instead of bytes32(PERIOD_SLOT) to compute the storage key for the profit_max_unlock_time variable is a bug. This mistake causes the verifier to look for the wrong storage slot in the scrvUSD contract’s state, potentially leading to an incorrect or manipulable update to the oracle. Addressing this by using the proper direct padded representation of the slot number is critical for ensuring that the correct value is extracted from the Ethereum state proof.

Proof of Concept:

  1. Standard Storage Key Computation:
    For a plain variable stored at slot 37, the correct key in the account’s storage trie is:

    bytes32(uint256(37))

    This representation is simply the slot number padded to 32 bytes.

  2. What the Code Does:
    Instead, the contract computes the key as:

    keccak256(abi.encode(PERIOD_SLOT))

    which produces a completely different 32‑byte value. This is appropriate for mapping entries (where keys are hashed with the mapping’s slot) but not for plain variables.

  3. Consequences:

    • Failure to Locate the Storage Entry: A correct state proof (e.g., one obtained using eth_getProof on a standard contract) would include the storage entry under the key bytes32(37). The verifier, however, will be looking for a key equal to keccak256(abi.encode(37)). This mismatch means that the verifier will not retrieve the actual value for profit_max_unlock_time.

    • Potential Exploitation: An attacker might craft a proof for the wrong key (the hashed key) to manipulate the period parameter passed to the oracle, leading to an unintended update of the profit unlock time.

Recommendation:


Change the key derivation for extracting the period value to use the proper padded representation:

Verifier.SlotValue memory slot = Verifier.extractSlotValueFromProof(
bytes32(PERIOD_SLOT),
account.storageRoot,
proofs[1].toList()
);
.
Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-storage-key-compute-wrong

See primary comments in issue #23

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.