The update_price() function in ScrvusdOracleV2 expects an array of parameters with an exact length (ALL_PARAM_CNT). There is no explicit check to enforce that the received array has the expected length. An incorrect array length can cause reversion or misinterpretation of parameters, potentially disrupting price updates.
-The oracle update function relies on a fixed-size parameters array to extract vault metrics.
-If an attacker (or even an unintentional caller) provides an array with an incorrect length, this may lead to out-of-bounds memory access or misinterpretation of parameters.
-Such an oversight can cause the function to revert or, worse, operate on unintended data.
The update_price function expects a fixed-length array but does not explicitly check the length, leading to potential out-of-bounds memory access.
An attacker provides an array of incorrect length to the update_price function, causing unexpected behavior.
In this PoC, the attacker supplies an array shorter than expected, potentially causing out-of-bounds memory access or misinterpretation of parameters, leading to incorrect price updates.
-Out-of-bounds access can result in reversion of the update function, leading to a denial of service on the price feed.
-Misinterpreted parameter values might yield an inaccurate scrvUSD price, opening exploitable windows for arbitrage.
-Manual Code Review
-Detailed edge-case analysis aligned with best practices from the Solodit Checklist regarding array handling
-Chat GPT o3-mini-high
-Explicitly validate that the input parameter array’s length exactly matches ALL_PARAM_CNT before processing.
-Revert with a clear error message if the check fails, preventing any out-of-bounds access.
-This change ensures that the function only processes well-formed input, mitigating potential attack vectors and unexpected behaviors.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.