#47310 [SC-Medium] Integer to Felt conversion completely ruins the Vaults accounting

Submitted on Jun 12th 2025 at 14:44:58 UTC by @Kalogerone for IOP | Paradex

Report ID: #47310
Report Type: Smart Contract
Report severity: Medium
Target: https://github.com/tradeparadex/audit-competition-may-2025/tree/main/paraclear
Impacts:
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Brief/Intro

The Paraclear contract implements the getAccountValue(...) function which returns an account's total value. This value can be negative when an account's losses exceed the collateral. However, the getAccountValue(...) function converts the integer amount to felt, which is always positive.

Vulnerability Details

This is the getAccountValue(...) implementation:

        fn getAccountValue(self: @ContractState, account: ContractAddress) -> felt252 {
            Self::get_account_value(self, account)
        }

        fn get_account_value(self: @ContractState, account: ContractAddress) -> felt252 {
            let account_state = self._load_account_v2(account);

            account_state.account_value().into()
        }

We can notice that it returns a felt252 type and it calls account_value() which returns i128 type:

        fn account_value(self: @AccountState) -> i128 {
            let mut account_value: i128 = self.get_asset_value();
            account_value += self.total_unrealized_pnl();
            account_value
        }

If a negative value is returned from account_value(), the way that cairo handles this conversion, the getAccountValue(...) function will return the felt252 max - the negative number.

This function is used by the Vaults and this type mishandling has serious implications:

Users can deposit into liquidated or unhealthy vaults:

During the deposit flow there is this check

            if (total_supply > 0) {
                // if vault is liquidated (but was deposited to before), no more deposits are
                // allowed only withdrawals and donations are allowed
@>              assert(!self._is_liquidated(), Errors::VAULT_LIQUIDATED);
            }

        /// @notice Checks if the vault has been liquidated
        /// @dev A vault is considered liquidated if its account value on Paraclear is <= 0
        /// @return True if the vault has been liquidated, false otherwise
        fn _is_liquidated(self: @ContractState) -> bool {
            let paraclear = self.paraclear();
            let paraclear_dispatcher = IParaclearDispatcher { contract_address: paraclear };
            let assets_holder = self._assets_holder();

@>          let vault_value = paraclear_dispatcher.getAccountValue(assets_holder);
            vault_value.try_into().unwrap() <= 0_i128
        }

This function doesn't work correctly, since if the account's value is negative the vault_value here will always be positive.

Miscalculation of _total_assets, a function that is constantly used throughout the vault and an inflated value can cause a huge deflation of shares and users with tiny amount of shares to be allowed to withdraw huge amount of assets.

        fn _total_assets(self: @ContractState) -> u256 {
            let paraclear = self.paraclear();
            let paraclear_dispatcher = IParaclearDispatcher { contract_address: paraclear };

            // If the vault is closed all assets are moved from the operator to the vault itself
            let assets_holder = self._assets_holder();
            // Get main vault value
@>          let mut vault_value: u256 = paraclear_dispatcher.getAccountValue(assets_holder).into();

	        ...
	        
            let sub_operators: Array<ContractAddress> = registry_dispatcher
                .get_sub_operators(self.operator());

            // Only enter loop if there are sub-operators
            if sub_operators.len() > 0 {
                let mut i = 0;
                loop {
                    if i >= sub_operators.len() {
                        break;
                    }
                    let sub_operator = sub_operators.at(i);
@>                  let sub_operator_value: u256 = paraclear_dispatcher
                        .getAccountValue(*sub_operator)
                        .into();
                    vault_value += sub_operator_value;
                    i += 1;
                };
            }

            self._convert_value_to_usdc(vault_value)
        }

As we can see, the call to getAccountValue(...) is used multiple times in this function, once for the assets holder and multiple times depending on the amount of sub-operators. If any of those accounts has a negative account value, the getAccountValue(...) will return a huge positive value and will cause the _total_assets value to be huge.

Impact Details

The _total_assets function is used is important accounting tracking functions like _convert_to_shares(...) and _convert_to_assets(...). A huge total assets value will cause a huge deflation of shares, where 1 share will equal to a huge amount of assets. This will mess up the accounting of the vault when converting shares to assets and assets to shares during deposits and withdrawals.

References

https://book.cairo-lang.org/ch02-02-data-types.html#felt-type

https://github.com/tradeparadex/audit-competition-may-2025/blob/main/vaults/src/vault/vault.cairo

https://github.com/tradeparadex/audit-competition-may-2025/blob/main/paraclear/src/paraclear/paraclear.cairo#L820

Proof of Concept

Using the following test we can see in the console that:

Original i128: -42
Converted felt252: 3618502788666131213697322783095070105623107215331596699973092056135872020439

#[test]
fn i128_to_felt252() {
    // Set an i128 variable to a negative value
    let negative_i128: i128 = -42_i128;

    // Verify it's negative
    assert!(negative_i128 < 0, "i128 should be negative");

    // Convert to felt252
    let as_felt252: felt252 = negative_i128.into();

    println!("Original i128: {}", negative_i128);
    println!("Converted felt252: {}", as_felt252);
}

Previous#47309 [SC-Medium] Type mishandling allows for users to withdraw FAST from vault instead of STANDARD Next#47314 [SC-Medium] account_transfer_partial(...) function doesn't check sender's health after transferring balances

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagReferences

hashtagProof of Concept

hashtagProof of Concept

Description

Brief/Intro

Vulnerability Details

Impact Details

References

Proof of Concept

Proof of Concept