#47291 [SC-Insight] Serveal bugs in function set_prices_and_funding_snapshot

Submitted on Jun 12th 2025 at 10:24:08 UTC by @Catchme for IOP | Paradex

Report ID: #47291
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/tradeparadex/audit-competition-may-2025/tree/main/oracle
Impacts:
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Brief/Intro

The set_prices_and_funding_snapshot function in ParaclearOracle contains multiple critical vulnerabilities related to timestamp handling, allowing executors to update price data with inconsistent or stale timestamps. This creates a significant risk of price manipulation, which could lead to improper liquidations, incorrect funding payments, and potential theft of user funds through manipulated settlement prices in this DeFi protocol.

Vulnerability Details

The function contains three major vulnerabilities:

Timestamp Regression: The function allows updating oracle data with older timestamps than what's currently stored:

// Current code just overwrites without checks
if new_prices.len() > 0 {
    self.latest_updated_timestamp.write((*new_prices.at(0)).last_updated_timestamp);
}

This enables a malicious executor to roll back prices to previous, more favorable values.

Timestamp Inconsistency: The function does not verify that all price/index entries have consistent timestamps:

// No validation that these timestamps match
for tick in new_prices {
    self._set_value(@tick);
}
for tick in new_indices {
    self._set_funding_index(@tick);
}

This allows providing different timestamps for different assets, creating state confusion.

Empty Update Handling: If both arrays are empty, latest_snapshot_id is still updated without updating latest_updated_timestamp, creating an inconsistent state.

These issues violate oracle security fundamentals by permitting:

Updates with older timestamps than current state
Updates with inconsistent timestamps across different assets
Empty updates that modify snapshot ID without timestamps

The vulnerabilities are particularly severe because the get_value function returns the global timestamp for all asset data:

fn get_value(self: @ContractState, market: felt252) -> TickData {
    // ...
    let timestamp = self.latest_updated_timestamp.read();
    // ...
}

This means a single inconsistent update affects the validity of all price data.

Impact Details

Price Manipulation for Liquidations:
- An executor could update oracle with stale prices during market volatility
- This could prevent legitimate liquidations that should occur (if prices are manipulated to appear healthier)
- Or trigger improper liquidations of otherwise healthy positions (if prices are manipulated to appear worse)
- Direct financial loss to users whose positions are incorrectly liquidated
Settlement Price Manipulation:
- By reverting to older, more favorable prices, an attacker could manipulate settlement values
- Users closing positions would receive incorrect payouts
- Example: A position that should be underwater could be made profitable through stale data

Proof of Concept

#[test]
fn test_POC() {
    let mut state = setup_dispatcher();
    let market: felt252 = 'BTC-USD';
    let value = state.get_value(market);
    assert_eq!(
        value, TickData { asset_key: 0, asset_value: 0, decimals: 0, last_updated_timestamp: 0 },
    );
    let tick = TickData {
        asset_key: market, asset_value: 100_000_000, decimals: 8, last_updated_timestamp: 123,
    };
    start_cheat_caller_address(state.contract_address, EXECUTOR());
    state.set_value(tick);
    let mut  newprice : Array<TickData> =ArrayTrait::new();
    let mut  new_indices : Array<TickData> =ArrayTrait::new();

    let tick1= TickData {
        asset_key: market, asset_value: 200_000_000, decimals: 8, last_updated_timestamp: 120,
    };
    newprice.append(tick);
    newprice.append(tick1);
    new_indices.append(tick);
    new_indices.append(tick1);

    state.set_prices_and_funding_snapshot(
        1, newprice, new_indices,
    );
    stop_cheat_caller_address(state.contract_address);
    let value = state.get_value(market);
    assert_ne!(value, tick);
}

Previous#47257 [SC-Insight] Lack of position quantity limit for a single account.Next#47295 [SC-Insight] Configurator Can Manipulate Critical Parameters to Force Mass Liquidations and Drain Protocol Funds

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagProof of Concept

hashtagProof of Concept

Description

Brief/Intro

Vulnerability Details

Impact Details

Proof of Concept

Proof of Concept