Active Boosts

#47318 [SC-Insight] If the counterparty happens to be their own referrer, the protocol does not take the referral fee into account during the risk check.

Submitted on Jun 12th 2025 at 15:04:43 UTC by @shaflow1 for IOP | Paradex

  • Report ID: #47318

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/tradeparadex/audit-competition-may-2025/tree/main/paraclear

  • Impacts:

    • Smart contract unable to operate due to lack of token funds

Description

Brief/Intro

Suppose in a trade, the taker's referrer happens to be the maker, or the maker's referrer happens to be the taker. Then at the end of the trade, the taker or maker will receive a referral fee from the counterparty. However, this fee is not considered in the is_risky check, which can cause some otherwise valid trades to fail.

Vulnerability Details

            let maker_token_balance = *maker_state
                .token_balances
                .at(maker_state.settlement_token_index);
            let taker_token_balance = *taker_state
                .token_balances
                .at(taker_state.settlement_token_index);
            // Note: _fee_payments will also write maker and taker token balance into the storage to
            // include pnl and funding previously calculated
            self
                ._fee_payments(
                    maker_account,
                    @maker_token_balance,
                    maker_trade_fee_in_settlement_token,
                    maker_referrer,
                    maker_fee_commission_in_settlement_token,
                    taker_account,
                    @taker_token_balance,
                    taker_trade_fee_in_settlement_token,
                    taker_referrer,
                    taker_fee_commission_in_settlement_token,
                );

Suppose in a trade, the maker happens to be the taker's referrer. Then, in the fee_payment step, the maker will receive a referral fee from the taker. However, this referral fee is not considered in the earlier is_risky check. Since a potential source of funds is omitted from the check, this may cause a trade that should be executable to be incorrectly rejected.

Impact Details

A trade that could have been executed may become non-executable due to the referral fee being omitted from consideration.

References

https://github.com/tradeparadex/audit-competition-may-2025/blob/0eb81b26a67666c399b4e16b39a96c19848ab7fd/paraclear/src/paraclear/paraclear.cairo#L1911

Proof of Concept

Proof of Concept

  1. In a trade, the taker's referrer is the maker.

  2. The maker is supposed to pay a total fee of fee1, and the taker is supposed to pay fee2. Since the maker is the taker's referrer, the taker needs to pay an additional referral fee fee3 to the maker.

  3. However, in the is_risky check for the maker, the protocol only uses account_value - fee1 - margin_requirement, whereas it should actually use account_value - fee1 + fee3 - margin_requirement.

Previous#47330 [SC-Low] The fee calculation in `settle_market` is unreasonable.Next#47370 [SC-Critical] `account_transfer_partial` should not be enabled when `transfer_registry_address` is not configured.

Was this helpful?