Paradex | IOP

Reports by Severity

Critical
  • #47198 [SC-Critical] The operator can perform unauthorized fund transfers.

  • #47370 [SC-Critical] `account_transfer_partial` should not be enabled when `transfer_registry_address` is not configured.

  • #46843 [SC-Critical] Bypass of Restrictions When Paraclear_transfer_registry Is Unregistered

High
  • #46892 [SC-High] small deposits could prevent users from withdrawing their funds

  • #46888 [SC-High] account_transfer_partial: lack of input validation when working with signed integers

Medium
  • #46997 [SC-Medium] The vault performs an unsafe conversion on the getAccountValue result.

  • #47309 [SC-Medium] Type mishandling allows for users to withdraw FAST from vault instead of STANDARD

  • #47314 [SC-Medium] account_transfer_partial(...) function doesn't check sender's health after transferring balances

  • #47310 [SC-Medium] Integer to Felt conversion completely ruins the Vaults accounting

  • #46856 [SC-Medium] The calculation of shares obtained through token trades will be incorrect, causing users to pay excessive yield fees.

Low
  • #47316 [SC-Low] account_transfer_partial(...) function doesn't check that receiver has a registered account in the system

  • #47317 [SC-Low] Transfer function only allows collateral transfers from free balance but can be bypassed

  • #47330 [SC-Low] The fee calculation in `settle_market` is unreasonable.

  • #47351 [SC-Low] Funds get stuck in the bridge if attempted to be deposited into a restricted address

  • #46942 [SC-Low] set_perpetual_asset_balance_link - there is no cycle checks

  • #46639 [SC-Low] The `_settlement_fee_payments` function contains a calculation error that leads to abnormal user balances.

  • #46839 [SC-Low] `max_withdraw` and `max_withdraw` do not fully consider global restrictions.

Insight
  • #46867 [SC-Insight] The `is_liquidation` field in `transfer_internal` is not properly differentiated.

  • #47257 [SC-Insight] Lack of position quantity limit for a single account.

  • #46960 [SC-Insight] trade order sizes are not validated properly

  • #46989 [SC-Insight] Invalid trade side check

  • #46910 [SC-Insight] Token Balance Event Data Inconsistency in Position Transfers

  • #47291 [SC-Insight] Serveal bugs in function set_prices_and_funding_snapshot

  • #47295 [SC-Insight] Configurator Can Manipulate Critical Parameters to Force Mass Liquidations and Drain Protocol Funds

  • #47313 [SC-Insight] Transfer(...) function doesn't account for current USDC price

  • #47318 [SC-Insight] If the counterparty happens to be their own referrer, the protocol does not take the referral fee into account during the risk check.

  • #47377 [SC-Insight] No Restriction on Self Transfer

  • #47380 [SC-Insight] Incorrect token_assets_value in AccountLiquidated Event

  • #46570 [SC-Insight] account list DoS issue

  • #46747 [SC-Insight] Self-Referral Vulnerability in Account Referral System

  • #46675 [SC-Insight] Insufficient Time Validation in function settle_trade_v2

  • #46676 [SC-Insight] Unrestricted Minimum Lockup Period

  • #47299 [SC-Insight] The `is_risky` check is improper.

  • #46611 [SC-Insight] Missing staleness checks in oracle queries

Reports by Type

Smart Contract
  • #46997 [SC-Medium] The vault performs an unsafe conversion on the getAccountValue result.

  • #46867 [SC-Insight] The `is_liquidation` field in `transfer_internal` is not properly differentiated.

  • #47257 [SC-Insight] Lack of position quantity limit for a single account.

  • #46892 [SC-High] small deposits could prevent users from withdrawing their funds

  • #47198 [SC-Critical] The operator can perform unauthorized fund transfers.

  • #46960 [SC-Insight] trade order sizes are not validated properly

  • #46989 [SC-Insight] Invalid trade side check

  • #46910 [SC-Insight] Token Balance Event Data Inconsistency in Position Transfers

  • #47291 [SC-Insight] Serveal bugs in function set_prices_and_funding_snapshot

  • #47295 [SC-Insight] Configurator Can Manipulate Critical Parameters to Force Mass Liquidations and Drain Protocol Funds

  • #47309 [SC-Medium] Type mishandling allows for users to withdraw FAST from vault instead of STANDARD

  • #47313 [SC-Insight] Transfer(...) function doesn't account for current USDC price

  • #47314 [SC-Medium] account_transfer_partial(...) function doesn't check sender's health after transferring balances

  • #47316 [SC-Low] account_transfer_partial(...) function doesn't check that receiver has a registered account in the system

  • #47317 [SC-Low] Transfer function only allows collateral transfers from free balance but can be bypassed

  • #47318 [SC-Insight] If the counterparty happens to be their own referrer, the protocol does not take the referral fee into account during the risk check.

  • #47330 [SC-Low] The fee calculation in `settle_market` is unreasonable.

  • #47351 [SC-Low] Funds get stuck in the bridge if attempted to be deposited into a restricted address

  • #47370 [SC-Critical] `account_transfer_partial` should not be enabled when `transfer_registry_address` is not configured.

  • #47377 [SC-Insight] No Restriction on Self Transfer

  • #47380 [SC-Insight] Incorrect token_assets_value in AccountLiquidated Event

  • #46570 [SC-Insight] account list DoS issue

  • #46888 [SC-High] account_transfer_partial: lack of input validation when working with signed integers

  • #46747 [SC-Insight] Self-Referral Vulnerability in Account Referral System

  • #47310 [SC-Medium] Integer to Felt conversion completely ruins the Vaults accounting

  • #46675 [SC-Insight] Insufficient Time Validation in function settle_trade_v2

  • #46676 [SC-Insight] Unrestricted Minimum Lockup Period

  • #46942 [SC-Low] set_perpetual_asset_balance_link - there is no cycle checks

  • #46639 [SC-Low] The `_settlement_fee_payments` function contains a calculation error that leads to abnormal user balances.

  • #47299 [SC-Insight] The `is_risky` check is improper.

  • #46839 [SC-Low] `max_withdraw` and `max_withdraw` do not fully consider global restrictions.

  • #46611 [SC-Insight] Missing staleness checks in oracle queries

  • #46843 [SC-Critical] Bypass of Restrictions When Paraclear_transfer_registry Is Unregistered

  • #46856 [SC-Medium] The calculation of shares obtained through token trades will be incorrect, causing users to pay excessive yield fees.

Was this helpful?