DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: medium
Invalid

Potential Out-of-Bounds Array Access in Oracle Update Function

Summary

The update_price() function in ScrvusdOracleV2 expects an array of parameters with an exact length (ALL_PARAM_CNT). There is no explicit check to enforce that the received array has the expected length. An incorrect array length can cause reversion or misinterpretation of parameters, potentially disrupting price updates.

Vulnerability Details

-The oracle update function relies on a fixed-size parameters array to extract vault metrics.

-If an attacker (or even an unintentional caller) provides an array with an incorrect length, this may lead to out-of-bounds memory access or misinterpretation of parameters.

-Such an oversight can cause the function to revert or, worse, operate on unintended data.

Elaboration

The update_price function expects a fixed-length array but does not explicitly check the length, leading to potential out-of-bounds memory access.​

Proof of Concept (PoC):

An attacker provides an array of incorrect length to the update_price function, causing unexpected behavior.​

// Attacker provides an array of incorrect length
uint256[ALL_PARAM_CNT - 1] memory incorrectParameters = [/* ... */];
// Attacker calls update_price with incorrect parameters
scrvusdOracleV2.update_price(incorrectParameters, block.timestamp, block.number);

In this PoC, the attacker supplies an array shorter than expected, potentially causing out-of-bounds memory access or misinterpretation of parameters, leading to incorrect price updates.

Impact

-Out-of-bounds access can result in reversion of the update function, leading to a denial of service on the price feed.

-Misinterpreted parameter values might yield an inaccurate scrvUSD price, opening exploitable windows for arbitrage.

Tools Used

-Manual Code Review

-Detailed edge-case analysis aligned with best practices from the Solodit Checklist regarding array handling

-Chat GPT o3-mini-high

Recommendations

-Explicitly validate that the input parameter array’s length exactly matches ALL_PARAM_CNT before processing.

-Revert with a clear error message if the check fails, preventing any out-of-bounds access.

-This change ensures that the function only processes well-formed input, mitigating potential attack vectors and unexpected behaviors.

Updates

Lead Judging Commences

0xnevi Lead Judge
3 months ago
0xnevi Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.