Paradex | IOP
Reports by Severity
Critical
#47198 [SC-Critical] The operator can perform unauthorized fund transfers.
#47370 [SC-Critical] `account_transfer_partial` should not be enabled when `transfer_registry_address` is not configured.
#46843 [SC-Critical] Bypass of Restrictions When Paraclear_transfer_registry Is Unregistered
High
#46892 [SC-High] small deposits could prevent users from withdrawing their funds
#46888 [SC-High] account_transfer_partial: lack of input validation when working with signed integers
Medium
#46997 [SC-Medium] The vault performs an unsafe conversion on the getAccountValue result.
#47309 [SC-Medium] Type mishandling allows for users to withdraw FAST from vault instead of STANDARD
#47314 [SC-Medium] account_transfer_partial(...) function doesn't check sender's health after transferring balances
#47310 [SC-Medium] Integer to Felt conversion completely ruins the Vaults accounting
#46856 [SC-Medium] The calculation of shares obtained through token trades will be incorrect, causing users to pay excessive yield fees.
Low
#47316 [SC-Low] account_transfer_partial(...) function doesn't check that receiver has a registered account in the system
#47317 [SC-Low] Transfer function only allows collateral transfers from free balance but can be bypassed
#47330 [SC-Low] The fee calculation in `settle_market` is unreasonable.
#47351 [SC-Low] Funds get stuck in the bridge if attempted to be deposited into a restricted address
#46942 [SC-Low] set_perpetual_asset_balance_link - there is no cycle checks
#46639 [SC-Low] The `_settlement_fee_payments` function contains a calculation error that leads to abnormal user balances.
#46839 [SC-Low] `max_withdraw` and `max_withdraw` do not fully consider global restrictions.
Insight
#46867 [SC-Insight] The `is_liquidation` field in `transfer_internal` is not properly differentiated.
#47257 [SC-Insight] Lack of position quantity limit for a single account.
#46960 [SC-Insight] trade order sizes are not validated properly
#46989 [SC-Insight] Invalid trade side check
#46910 [SC-Insight] Token Balance Event Data Inconsistency in Position Transfers
#47291 [SC-Insight] Serveal bugs in function set_prices_and_funding_snapshot
#47295 [SC-Insight] Configurator Can Manipulate Critical Parameters to Force Mass Liquidations and Drain Protocol Funds
#47313 [SC-Insight] Transfer(...) function doesn't account for current USDC price
#47318 [SC-Insight] If the counterparty happens to be their own referrer, the protocol does not take the referral fee into account during the risk check.
#47377 [SC-Insight] No Restriction on Self Transfer
#47380 [SC-Insight] Incorrect token_assets_value in AccountLiquidated Event
#46570 [SC-Insight] account list DoS issue
#46747 [SC-Insight] Self-Referral Vulnerability in Account Referral System
#46675 [SC-Insight] Insufficient Time Validation in function settle_trade_v2
#46676 [SC-Insight] Unrestricted Minimum Lockup Period
#47299 [SC-Insight] The `is_risky` check is improper.
#46611 [SC-Insight] Missing staleness checks in oracle queries
Reports by Type
Smart Contract
#46997 [SC-Medium] The vault performs an unsafe conversion on the getAccountValue result.
#46867 [SC-Insight] The `is_liquidation` field in `transfer_internal` is not properly differentiated.
#47257 [SC-Insight] Lack of position quantity limit for a single account.
#46892 [SC-High] small deposits could prevent users from withdrawing their funds
#47198 [SC-Critical] The operator can perform unauthorized fund transfers.
#46960 [SC-Insight] trade order sizes are not validated properly
#46989 [SC-Insight] Invalid trade side check
#46910 [SC-Insight] Token Balance Event Data Inconsistency in Position Transfers
#47291 [SC-Insight] Serveal bugs in function set_prices_and_funding_snapshot
#47295 [SC-Insight] Configurator Can Manipulate Critical Parameters to Force Mass Liquidations and Drain Protocol Funds
#47309 [SC-Medium] Type mishandling allows for users to withdraw FAST from vault instead of STANDARD
#47313 [SC-Insight] Transfer(...) function doesn't account for current USDC price
#47314 [SC-Medium] account_transfer_partial(...) function doesn't check sender's health after transferring balances
#47316 [SC-Low] account_transfer_partial(...) function doesn't check that receiver has a registered account in the system
#47317 [SC-Low] Transfer function only allows collateral transfers from free balance but can be bypassed
#47318 [SC-Insight] If the counterparty happens to be their own referrer, the protocol does not take the referral fee into account during the risk check.
#47330 [SC-Low] The fee calculation in `settle_market` is unreasonable.
#47351 [SC-Low] Funds get stuck in the bridge if attempted to be deposited into a restricted address
#47370 [SC-Critical] `account_transfer_partial` should not be enabled when `transfer_registry_address` is not configured.
#47377 [SC-Insight] No Restriction on Self Transfer
#47380 [SC-Insight] Incorrect token_assets_value in AccountLiquidated Event
#46570 [SC-Insight] account list DoS issue
#46888 [SC-High] account_transfer_partial: lack of input validation when working with signed integers
#46747 [SC-Insight] Self-Referral Vulnerability in Account Referral System
#47310 [SC-Medium] Integer to Felt conversion completely ruins the Vaults accounting
#46675 [SC-Insight] Insufficient Time Validation in function settle_trade_v2
#46676 [SC-Insight] Unrestricted Minimum Lockup Period
#46942 [SC-Low] set_perpetual_asset_balance_link - there is no cycle checks
#46639 [SC-Low] The `_settlement_fee_payments` function contains a calculation error that leads to abnormal user balances.
#47299 [SC-Insight] The `is_risky` check is improper.
#46839 [SC-Low] `max_withdraw` and `max_withdraw` do not fully consider global restrictions.
#46611 [SC-Insight] Missing staleness checks in oracle queries
#46843 [SC-Critical] Bypass of Restrictions When Paraclear_transfer_registry Is Unregistered
#46856 [SC-Medium] The calculation of shares obtained through token trades will be incorrect, causing users to pay excessive yield fees.
Was this helpful?