Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Invalid Timestamp Relationship in `_raw_price` Function in ScrvusdOracle

0xshaedyw

Summary

The _raw_price function calculates the raw price of scrvUSD at a specific timestamp (ts) based on parameters obtained at another timestamp (parameters_ts). The function assumes that ts >= parameters_ts, but this assumption is neither enforced nor documented. If ts < parameters_ts, the function may produce invalid results or revert.

def _raw_price(ts: uint256, parameters_ts: uint256) -> uint256:

"""

@notice Price replication from scrvUSD vault

"""

parameters: PriceParams = self._obtain_price_params(parameters_ts)

return self._total_assets(parameters) * 10**18 // self._total_supply(parameters, ts)

Vulnerability Details

Timestamp Relationship:
- parameters_ts: The timestamp used to fetch the PriceParams struct via _obtain_price_params.
- ts: The timestamp for which the raw price is calculated.
- The function assumes ts >= parameters_ts but does not enforce this condition.
Potential Issues:
- If ts < parameters_ts, the function attempts to calculate a price using future parameters, which violates causality.
- This could lead to underflows, division by zero, or nonsensical results in downstream calculations (e.g., _total_supply).
Example Scenario:
- Assume parameters_ts = 1000 and ts = 900.
- The function fetches parameters at parameters_ts = 1000 but attempts to calculate the price at ts = 900.
- This is invalid because the state at parameters_ts cannot represent the state at an earlier time (ts).

Impact

Incorrect Results: The function may return invalid prices if ts < parameters_ts.
Reverts: Downstream calculations (e.g., _total_supply) may fail due to invalid timestamps.
Protocol Instability: Invalid inputs could lead to mispriced assets, arbitrage opportunities, or failed transactions.

Recommendations

Add Input Validation:
Add an assertion to ensure ts >= parameters_ts:

assert ts >= parameters_ts, Timestamp `ts` must be greater than or equal to `parameters_ts`"

Updates

Lead Judging Commences

0xnevi Lead Judge

6 months ago

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.