Active Boosts

#47380 [SC-Insight] Incorrect token_assets_value in AccountLiquidated Event

Submitted on Jun 13th 2025 at 06:49:47 UTC by @Catchme for IOP | Paradex

  • Report ID: #47380

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/tradeparadex/audit-competition-may-2025/tree/main/registry

  • Impacts:

    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

    • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

The account_liquidate() function in the account_component.cairo file contains a flaw where the token_assets_value field in the emitted AccountLiquidated event is incorrectly set to the liquidator’s initial token balance rather than any value related to the liquidated account. This misrepresentation undermines the integrity of on-chain event data and misleads off-chain consumers such as analytics tools, dashboards, and auditors.

Vulnerability Details

In the account_liquidate() function, the protocol emits an AccountLiquidated event after transferring a share of the liquidated account’s positions and collateral. However, the token_assets_value field is populated using the liquidator's pre-liquidation balance, which is not relevant to the liquidation outcome and contradicts the field’s intended meaning.

The event documentation clearly states that token_assets_value refers to "The total value of token assets in the account" (i.e., the liquidated account). Logging the liquidator’s balance at this field is logically incorrect, misleading, and potentially harmful for off-chain systems relying on accurate data.

let initial_liquidator_token_balance = self
    .token
    .get_asset_balance_or_empty(liquidator, settlement_token_asset);

...

self.emit(
    AccountComponent::Event::AccountLiquidated(
        AccountLiquidated {
            account: account,
            liquidator: liquidator,
            token_assets_value: initial_liquidator_token_balance.amount,  // ← Incorrect source
            margin_requirement: margin_requirement.into(),
            unrealized_pnl: total_unrealized_pnl.into(),
            liquidation_penalty: liq_penalty,
            liquidation_share: liquidation_share_d.try_into().unwrap(),
            is_partial_liquidation: (!full_liquidation).into(),
            oracle_snapshot_id: oracle_snapshot_id,
        },
    ),
);

Impact Details

Off-chain systems monitoring liquidation value per account will retrieve incorrect data.

Proof of Concept

Proof of Concept

This is no need POC

Previous#47377 [SC-Insight] No Restriction on Self Transfer

Was this helpful?