#46675 [SC-Insight] Insufficient Time Validation in function settle_trade_v2

Submitted on Jun 3rd 2025 at 08:40:59 UTC by @Catchme for IOP | Paradex

Report ID: #46675
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/tradeparadex/audit-competition-may-2025/tree/main/paraclear
Impacts:
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

The settle_trade_v2 function in Paraclear has a timestamp validation vulnerability. The function only checks if the trade timestamp is greater than zero (traded_at > 0_u64), without verifying that it's recent or valid relative to the current block time. This enables various time-based attacks including trade replay attacks, stale trade execution, and price manipulation that could lead to direct financial losses for users through unfair trade execution and potential theft of funds.

Vulnerability Details

The vulnerable code exists in the settle_trade_v2 function:

let traded_at: u64 = trade.traded_at.try_into().unwrap();
assert(traded_at > 0_u64, Errors::TRADE_TIME_INVALID);

This validation is severely inadequate for several reasons:

No recency check: The function doesn't compare traded_at with the current block timestamp to ensure the trade is recent. As long as traded_at > 0, any timestamp (even from years ago) would be accepted.
No maximum age enforcement: There is no mechanism to enforce a maximum staleness period for trades. This means executors can hold onto trades and execute them much later when market conditions are favorable to them.
No protection against future timestamps: Since there's no upper bound check, trade timestamps set in the future would also be accepted.

Impact Details

Trade Replay Attacks: An attacker could potentially resubmit old trades, especially if IDs can be reused or manipulated. This would result in unauthorized duplicate trades.
Price Manipulation: By holding onto trades and executing them at opportune moments with manipulated oracle data, a malicious executor could generate artificial profits at the expense of users.

Proof of Concept

     let trade_request = TradeRequestV2 {
            id: 1000,
            size: 2_u128.into(),
            price: 800000_u128.into(),
            traded_at: 11111111111, // history timestamp
            maker_order: OrderV2 {
                account: maker_account,
                market: market,
                side: SELL_SIDE,
                orderType: 0,
                size: 2_u128.into(),
                price: 800000_u128.into(),
                signature_timestamp: get_block_timestamp().into(),
                is_reduce_only: false,
            },
            taker_order: OrderV2 {
                account: taker_account,
                market: market,
                side: BUY_SIDE,
                orderType: 0,
                size: 2_u128.into(),
                price: 800000_u128.into(),
                signature_timestamp: get_block_timestamp().into(),
                is_reduce_only: false,
            },
        };

The attacker calls settle_trade_v2 with this trade:

paraclear.settle_trade_v2(manipulated_trade);

Previous#46639 [SC-Low] The `_settlement_fee_payments` function contains a calculation error that leads to abnormal user balances.Next#46676 [SC-Insight] Unrestricted Minimum Lockup Period

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagProof of Concept

hashtagProof of Concept

Description

Brief/Intro

Vulnerability Details

Impact Details

Proof of Concept

Proof of Concept