#46611 [SC-Insight] Missing staleness checks in oracle queries

Submitted on Jun 2nd 2025 at 11:33:50 UTC by @gln for IOP | Paradex

Report ID: #46611
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/tradeparadex/audit-competition-may-2025/tree/main/paraclear
Impacts:
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Brief/Intro

Current implementation does not check last_updated_timestamp when fetching oracle price ticks.

Vulnerability Details

To query oracle price the following function is called from oracle/src/oracle.cairo:

   fn get_value(self: @ContractState, market: felt252) -> TickData {
            let tick_data_price = self.latest_tick_data.read(market);
            let timestamp = self.latest_updated_timestamp.read();
            TickData {
                asset_key: tick_data_price.asset_key,
                asset_value: tick_data_price.asset_value,
                decimals: tick_data_price.decimals,
                last_updated_timestamp: timestamp,
            }
        }

As you can see, it returns asset price and last_updated_timestamp.

Let's see how price data is actually used, code from paraclear/src/paraclear.cairo:

  fn getAccountUnrealizedPnlByMarket(
            self: @ContractState, account: ContractAddress, market: felt252,
        ) -> felt252 {
            let oracle_address = self.getOracleContract();
            let oracle_dispatcher = IParaclearOracleDispatcher { contract_address: oracle_address };
1)          let mark_price_tick = oracle_dispatcher.get_value(market);
            let settlement_token_tick = oracle_dispatcher.get_value(SETTLEMENT_TOKEN_ASSET_KEY);
3)          let mark_price: i128 = mark_price_tick.asset_value.try_into().unwrap();
            let settlement_token_price_i: i128 = settlement_token_tick
                .asset_value
                .try_into()
                .unwrap();
            self
                .perpetual_future
                .calculate_unrealized_pnl(
                    account, market, mark_price, settlement_token_price_i.try_into().unwrap(),
                )
                .into()
        }

Price tick is fetched
There is no verification that price tick can be stale, the tick's field 'last_updated_timestamp' is not verified

As a result, stale price might be used in critical calculations.

Impact Details

Users will rely on asset price information, that is believed to be fresh. It could lead to erroneous decisions and potential loss of funds.

Proof of Concept

In this test, we set price tick, then advance timestamp to 2 hours.

Second call to getAccountUnrealizedPnlByMarket() thus should fail, as the price is outdated, but it does not.

How to reproduce:

add test to src/paraclear/tests/test_paraclear.cairo

#[test]
fn test_oracle_stale_price_issue() {
    let (_, paraclear_dispatcher, oracle_dispatcher) = setup_paraclear_with_oracle();
    let futures_dispatcher = IPerpetualFutureDispatcher {
        contract_address: paraclear_dispatcher.contract_address,
    };

    let mut perpetual_asset = get_perpetual_asset();
    start_cheat_caller_address(futures_dispatcher.contract_address, CONFIGURATOR());
    futures_dispatcher.create_perpetual_asset(perpetual_asset);
    stop_cheat_caller_address(futures_dispatcher.contract_address);

    let market = perpetual_asset.market;
    let account: ContractAddress = 'TEST_ACCOUNT'.try_into().unwrap();
    let current_time = get_block_timestamp();
    
    start_cheat_caller_address(oracle_dispatcher.contract_address, EXECUTOR());
    oracle_dispatcher.set_value(
        TickData {
            asset_key: market,
            asset_value: 50000_00000000,
            decimals: DECIMALS.try_into().unwrap(),
            last_updated_timestamp: current_time.into(),
        }
    );
    stop_cheat_caller_address(oracle_dispatcher.contract_address);

    let mut unrealized_pnl = paraclear_dispatcher.getAccountUnrealizedPnlByMarket(account, market);
    println!("XXXXKE get pnl for timestamp {}, pnl {}", current_time, unrealized_pnl);

    let new_time = get_block_timestamp() + 7200; // + 2 hours
    start_cheat_block_timestamp_global(new_time);
    unrealized_pnl = paraclear_dispatcher.getAccountUnrealizedPnlByMarket(account, market);
    println!("XXXXKE get pnl for timestamp {}, pnl {}", get_block_timestamp(), unrealized_pnl);
}

run the test:

$ snforge test test_oracle_stale_price_issue
...
Running 1 test(s) from tests/
XXXXKE get pnl for timestamp 0, pnl 0
XXXXKE get pnl for timestamp 7200, pnl 0

PreviousParadex | IOP Next#46570 [SC-Insight] account list DoS issue

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagProof of Concept

hashtagProof of Concept

Description

Brief/Intro

Vulnerability Details

Impact Details

Proof of Concept

Proof of Concept