#46611 [SC-Insight] Missing staleness checks in oracle queries

Submitted on Jun 2nd 2025 at 11:33:50 UTC by @gln for IOP | Paradex

• Report ID: #46611

• Report Type: Smart Contract

• Report severity: Insight

• Target: https://github.com/tradeparadex/audit-competition-may-2025/tree/main/paraclear

• Impacts:

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Brief/Intro

Current implementation does not check last_updated_timestamp when fetching oracle price ticks.

Vulnerability Details

To query oracle price the following function is called from oracle/src/oracle.cairo:

   fn get_value(self: @ContractState, market: felt252) -> TickData {
            let tick_data_price = self.latest_tick_data.read(market);
            let timestamp = self.latest_updated_timestamp.read();
            TickData {
                asset_key: tick_data_price.asset_key,
                asset_value: tick_data_price.asset_value,
                decimals: tick_data_price.decimals,
                last_updated_timestamp: timestamp,
            }
        }

As you can see, it returns asset price and last_updated_timestamp.

Let's see how price data is actually used, code from paraclear/src/paraclear.cairo:

1. Price tick is fetched

2. There is no verification that price tick can be stale, the tick's field 'last_updated_timestamp' is not verified

As a result, stale price might be used in critical calculations.

Impact Details

Users will rely on asset price information, that is believed to be fresh. It could lead to erroneous decisions and potential loss of funds.

Proof of Concept

Proof of Concept

In this test, we set price tick, then advance timestamp to 2 hours.

Second call to getAccountUnrealizedPnlByMarket() thus should fail, as the price is outdated, but it does not.

How to reproduce:

1. add test to src/paraclear/tests/test_paraclear.cairo

1. run the test: