Active Boosts

#46910 [SC-Insight] Token Balance Event Data Inconsistency in Position Transfers

Submitted on Jun 6th 2025 at 06:06:53 UTC by @Catchme for IOP | Paradex

  • Report ID: #46910

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/tradeparadex/audit-competition-may-2025/tree/main/paraclear

  • Impacts:

    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

Brief/Intro

The _transfer_positions_internal() function in the paraclear.cairo file has a flaw where token balance update events emit incorrect prev_amount values for both sender and receiver accounts during multi-position transfers. This inconsistency can lead to misleading event data.

Vulnerability Details

In the _transfer_positions_internal() function, the code incorrectly uses the initial token balance amount for all position transfer events within the loop, rather than tracking the actual previous amount for each iteration. This affects both sender and receiver accounts, leading to incorrect event emissions.

// Vulnerable Code Location
// File: paraclear/src/paraclear/paraclear.cairo
// Lines: 2039-2238

// At function start
let initial_account_token_balance = *account_state
    .token_balances[account_state.settlement_token_index];
let mut updated_account_token_amount: i128 = initial_account_token_balance
    .amount
    .try_into()
    .unwrap();

// Inside the transfer loop
for idx in 0..account_state.perpetual_names.len() {
    // ... position transfer logic updates updated_account_token_amount ...
    
    updated_account_token_amount = sender_token_amount_realized;
    self.token.write_asset_balance(
        sender,
        initial_account_token_balance.token_address,
        updated_account_token_amount.into(),
    );
    
    // Problem - Always uses initial amount
    self.emit(
        TokenComponent::Event::TokenAssetBalanceUpdate(
            TokenAssetBalanceUpdate {
                account: sender,
                token_address: initial_account_token_balance.token_address,
                prev_amount: initial_account_token_balance.amount,  // Always the same
                updated_amount: updated_account_token_amount.into(),
                is_liquidation: is_liquidation,
            },
        ),
    );
}

Impact Details

  1. Audit Trail Inconsistency: Each position transfer event shows the same starting balance, making it impossible to track intermediate balance changes.

  2. Event Processing Logic: Systems that process these events sequentially will have incorrect intermediate state calculations.

  3. Monitoring and Alerting: Balance change monitoring systems may trigger false alerts or miss real changes.

Proof of Concept

Proof of Concept

Previous#46892 [SC-High] small deposits could prevent users from withdrawing their fundsNext#46942 [SC-Low] set perpetual asset balance link there is no cycle checks

Was this helpful?