Summary

The update_price() function in ScrvusdOracleV2 expects an array of parameters with an exact length (ALL_PARAM_CNT). There is no explicit check to enforce that the received array has the expected length. An incorrect array length can cause reversion or misinterpretation of parameters, potentially disrupting price updates.

Vulnerability Details

-The oracle update function relies on a fixed-size parameters array to extract vault metrics.

-If an attacker (or even an unintentional caller) provides an array with an incorrect length, this may lead to out-of-bounds memory access or misinterpretation of parameters.

-Such an oversight can cause the function to revert or, worse, operate on unintended data.

Elaboration

The update_price function expects a fixed-length array but does not explicitly check the length, leading to potential out-of-bounds memory access.​

Proof of Concept (PoC):

An attacker provides an array of incorrect length to the update_price function, causing unexpected behavior.​

In this PoC, the attacker supplies an array shorter than expected, potentially causing out-of-bounds memory access or misinterpretation of parameters, leading to incorrect price updates.

Impact

-Out-of-bounds access can result in reversion of the update function, leading to a denial of service on the price feed.

-Misinterpreted parameter values might yield an inaccurate scrvUSD price, opening exploitable windows for arbitrage.

Tools Used

-Manual Code Review

-Detailed edge-case analysis aligned with best practices from the Solodit Checklist regarding array handling

-Chat GPT o3-mini-high

Recommendations

-Explicitly validate that the input parameter array’s length exactly matches ALL_PARAM_CNT before processing.

-Revert with a clear error message if the check fails, preventing any out-of-bounds access.

-This change ensures that the function only processes well-formed input, mitigating potential attack vectors and unexpected behaviors.