# Paradex | IOP

## Reports by Severity

<details>

<summary>Critical</summary>

* \#47198 \[SC-Critical] The operator can perform unauthorized fund transfers.
* \#47370 \[SC-Critical] \`account\_transfer\_partial\` should not be enabled when \`transfer\_registry\_address\` is not configured.
* \#46843 \[SC-Critical] Bypass of Restrictions When Paraclear\_transfer\_registry Is Unregistered

</details>

<details>

<summary>High</summary>

* \#46892 \[SC-High] small deposits could prevent users from withdrawing their funds
* \#46888 \[SC-High] account\_transfer\_partial: lack of input validation when working with signed integers

</details>

<details>

<summary>Medium</summary>

* \#46997 \[SC-Medium] The vault performs an unsafe conversion on the getAccountValue result.
* \#47309 \[SC-Medium] Type mishandling allows for users to withdraw FAST from vault instead of STANDARD
* \#47314 \[SC-Medium] account\_transfer\_partial(...) function doesn't check sender's health after transferring balances
* \#47310 \[SC-Medium] Integer to Felt conversion completely ruins the Vaults accounting
* \#46856 \[SC-Medium] The calculation of shares obtained through token trades will be incorrect, causing users to pay excessive yield fees.

</details>

<details>

<summary>Low</summary>

* \#47316 \[SC-Low] account\_transfer\_partial(...) function doesn't check that receiver has a registered account in the system
* \#47317 \[SC-Low] Transfer function only allows collateral transfers from free balance but can be bypassed
* \#47330 \[SC-Low] The fee calculation in \`settle\_market\` is unreasonable.
* \#47351 \[SC-Low] Funds get stuck in the bridge if attempted to be deposited into a restricted address
* \#46942 \[SC-Low] set\_perpetual\_asset\_balance\_link - there is no cycle checks
* \#46639 \[SC-Low] The \`\_settlement\_fee\_payments\` function contains a calculation error that leads to abnormal user balances.
* \#46839 \[SC-Low] \`max\_withdraw\` and \`max\_withdraw\` do not fully consider global restrictions.

</details>

<details>

<summary>Insight</summary>

* \#46867 \[SC-Insight] The \`is\_liquidation\` field in \`transfer\_internal\` is not properly differentiated.
* \#47257 \[SC-Insight] Lack of position quantity limit for a single account.
* \#46960 \[SC-Insight] trade order sizes are not validated properly
* \#46989 \[SC-Insight] Invalid trade side check
* \#46910 \[SC-Insight] Token Balance Event Data Inconsistency in Position Transfers
* \#47291 \[SC-Insight] Serveal bugs in function set\_prices\_and\_funding\_snapshot
* \#47295 \[SC-Insight] Configurator Can Manipulate Critical Parameters to Force Mass Liquidations and Drain Protocol Funds
* \#47313 \[SC-Insight] Transfer(...) function doesn't account for current USDC price
* \#47318 \[SC-Insight] If the counterparty happens to be their own referrer, the protocol does not take the referral fee into account during the risk check.
* \#47377 \[SC-Insight] No Restriction on Self Transfer
* \#47380 \[SC-Insight] Incorrect token\_assets\_value in AccountLiquidated Event
* \#46570 \[SC-Insight] account list DoS issue
* \#46747 \[SC-Insight] Self-Referral Vulnerability in Account Referral System
* \#46675 \[SC-Insight] Insufficient Time Validation in function settle\_trade\_v2
* \#46676 \[SC-Insight] Unrestricted Minimum Lockup Period
* \#47299 \[SC-Insight] The \`is\_risky\` check is improper.
* \#46611 \[SC-Insight] Missing staleness checks in oracle queries

</details>

## Reports by Type

<details>

<summary>Smart Contract</summary>

* \#46997 \[SC-Medium] The vault performs an unsafe conversion on the getAccountValue result.
* \#46867 \[SC-Insight] The \`is\_liquidation\` field in \`transfer\_internal\` is not properly differentiated.
* \#47257 \[SC-Insight] Lack of position quantity limit for a single account.
* \#46892 \[SC-High] small deposits could prevent users from withdrawing their funds
* \#47198 \[SC-Critical] The operator can perform unauthorized fund transfers.
* \#46960 \[SC-Insight] trade order sizes are not validated properly
* \#46989 \[SC-Insight] Invalid trade side check
* \#46910 \[SC-Insight] Token Balance Event Data Inconsistency in Position Transfers
* \#47291 \[SC-Insight] Serveal bugs in function set\_prices\_and\_funding\_snapshot
* \#47295 \[SC-Insight] Configurator Can Manipulate Critical Parameters to Force Mass Liquidations and Drain Protocol Funds
* \#47309 \[SC-Medium] Type mishandling allows for users to withdraw FAST from vault instead of STANDARD
* \#47313 \[SC-Insight] Transfer(...) function doesn't account for current USDC price
* \#47314 \[SC-Medium] account\_transfer\_partial(...) function doesn't check sender's health after transferring balances
* \#47316 \[SC-Low] account\_transfer\_partial(...) function doesn't check that receiver has a registered account in the system
* \#47317 \[SC-Low] Transfer function only allows collateral transfers from free balance but can be bypassed
* \#47318 \[SC-Insight] If the counterparty happens to be their own referrer, the protocol does not take the referral fee into account during the risk check.
* \#47330 \[SC-Low] The fee calculation in \`settle\_market\` is unreasonable.
* \#47351 \[SC-Low] Funds get stuck in the bridge if attempted to be deposited into a restricted address
* \#47370 \[SC-Critical] \`account\_transfer\_partial\` should not be enabled when \`transfer\_registry\_address\` is not configured.
* \#47377 \[SC-Insight] No Restriction on Self Transfer
* \#47380 \[SC-Insight] Incorrect token\_assets\_value in AccountLiquidated Event
* \#46570 \[SC-Insight] account list DoS issue
* \#46888 \[SC-High] account\_transfer\_partial: lack of input validation when working with signed integers
* \#46747 \[SC-Insight] Self-Referral Vulnerability in Account Referral System
* \#47310 \[SC-Medium] Integer to Felt conversion completely ruins the Vaults accounting
* \#46675 \[SC-Insight] Insufficient Time Validation in function settle\_trade\_v2
* \#46676 \[SC-Insight] Unrestricted Minimum Lockup Period
* \#46942 \[SC-Low] set\_perpetual\_asset\_balance\_link - there is no cycle checks
* \#46639 \[SC-Low] The \`\_settlement\_fee\_payments\` function contains a calculation error that leads to abnormal user balances.
* \#47299 \[SC-Insight] The \`is\_risky\` check is improper.
* \#46839 \[SC-Low] \`max\_withdraw\` and \`max\_withdraw\` do not fully consider global restrictions.
* \#46611 \[SC-Insight] Missing staleness checks in oracle queries
* \#46843 \[SC-Critical] Bypass of Restrictions When Paraclear\_transfer\_registry Is Unregistered
* \#46856 \[SC-Medium] The calculation of shares obtained through token trades will be incorrect, causing users to pay excessive yield fees.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/iop-paradex.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.