> For the complete documentation index, see [llms.txt](https://reports.immunefi.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://reports.immunefi.com/iop-paradex/46942-sc-low-set-perpetual-asset-balance-link-there-is-no-cycle-checks.md). # #46942 \[SC-Low] set perpetual asset balance link there is no cycle checks **Submitted on Jun 6th 2025 at 14:37:44 UTC by @gln for** [**IOP | Paradex**](https://immunefi.com/audit-competition/iop-paradex) * **Report ID:** #46942 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) ## Description ## Brief/Intro By calling set\_perpetual\_asset\_balance\_link function admin could create cycles in Paraclear\_perpetual\_asset\_balance list. As a result, any function which loads account state from storage will revert. ## Vulnerability Details Let's look at how contract handles account loading from storage, code from paraclear.cairo: ``` fn _load_account_no_asset_data( self: @ContractState, account: ContractAddress, ) -> AccountState { // load fees and referral let fee_rates = self.account._get_account_fee_rate(account); let referral = self.account.get_account_referral(account); // load perpetual markets (both futures and options) let (perp_names, perp_balances) = self.perpetual_future._get_account_markets(account); // load token markets let (mut token_names, mut token_balances) = self.token._get_account_markets(account); ... } fn _load_account_v2(self: @ContractState, account: ContractAddress) -> AccountState { let mut account_state = self._load_account_no_asset_data(account); if account_state.perpetual_names.is_empty() && account_state.token_names.is_empty() { return account_state; } account_state .asset_data = self ._load_asset_data(account_state.perpetual_names, account_state.token_names); account_state } ``` Now look at the function \_get\_account\_markets from future.cairo: ``` fn _get_account_markets( self: @ComponentState, account: ContractAddress, ) -> (Array, Array<@PerpetualAssetBalance>) { let mut markets = ArrayTrait::new(); let mut balances = ArrayTrait::new(); let start_market = self.Paraclear_perpetual_asset_balance_tail.read(account); if start_market.is_zero() { return (markets, balances); } let mut balance = self.Paraclear_perpetual_asset_balance.read((account, start_market)); markets.append(start_market); balances.append(@balance); 1) while balance.prev.is_non_zero() { let market = balance.prev; balance = self.Paraclear_perpetual_asset_balance.read((account, market)); markets.append(market); balances.append(@balance); } (markets, balances) } ``` 1. If we manage to create cycle here, this function will always revert due to out of gas error The only function which is capable of createing such loop is set\_perpetual\_asset\_balance\_link() : ``` fn set_perpetual_asset_balance_link( ref self: ComponentState, account: ContractAddress, market: felt252, prev_market: felt252, next_market: felt252, ) { self.assert_only_role(roles::ADMIN_ROLE); let prev_perpetual_asset = self.Paraclear_perpetual_asset.read(prev_market); assert!(prev_perpetual_asset.market != 0, "Can't set asset link to an unset asset"); let current_perpetual_asset = self.Paraclear_perpetual_asset.read(market); assert!(current_perpetual_asset.market != 0, "Can't set asset link of an unset asset"); self.Paraclear_perpetual_asset_balance.entry((account, market)).prev.write(prev_market); self.Paraclear_perpetual_asset_balance.entry((account, market)).next.write(next_market); } ``` There is no cycle check, such that prev\_market could equal to market. Malicious or compromised admin could create cycle by calling this function. As a result any contract functions which load account data from storage will fail with out of gas error. ## Impact Details After creating cycle in Paraclear\_perpetual\_asset\_balance list, Paradex contract becomes unusable. ## Proof of Concept ## Proof of Concept How to reproduce: 1. Add test to paraclear/tests/test\_paraclear.cairo. See gist link - 2. Run the test: ``` $ snforge test test_set_perpetual_asset_balance_link_issue Running 1 test(s) from tests/ Creating a cycle... [FAIL] paradex_paraclear::paraclear::tests::test_paraclear::test_set_perpetual_asset_balance_link_issue Failure data: Got an exception while executing a hint: Hint Error: Error at pc=0:71856: Could not reach the end of the program. RunResources has no remaining steps. ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://reports.immunefi.com/iop-paradex/46942-sc-low-set-perpetual-asset-balance-link-there-is-no-cycle-checks.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.