`bypassChecks` Flag Disables Risk Controls in Development
A documented `bypassChecks=true` query parameter (callable by any sandbox JWT) disabled the entire risk engine in non-prod, allowing unrestricted leveraged trading if dev infrastructure shared signing keys or CLOB accounts with production.
Description
// offer.controller.ts L99-L103const isSandbox = this.sandboxService.isSandboxRole(customer.role);const bypassChecks = isSandbox || (query.bypassChecks ?? false);if (bypassChecks && !isSandbox && this.environmentService.isInProdEnvironment()) {throw new ForbiddenException("bypassChecks is not allowed in production");}// In dev: any customer JWT holder can bypass ALL risk checks
// offer.service.ts L69const bypassChecks = input.isSandbox || (input.bypassChecks && !this.environmentService.isInProdEnvironment());// When bypassChecks is true, the following are skipped:// - Position limits (global, market, partner, user, side), offer.service.ts ~L110// - Slippage validation, offer.service.ts ~L118// - Entry filters (depth, spread, volume, staleness), offer.service.ts ~L122// - Leverage clamping from risk model, offer.service.ts ~L191// - Market eligibility checks, offer.service.ts ~L139
Frontend / on-chain mitigation analysis: This is just a dev sandbox bypassChecks=true of course. However, it's a documented query parameter in offer.args.ts and any direct API caller can include it. The on-chain contract enforces its own invariants (collateral requirements, signature expiry, state machine) regardless of bypassChecks, providing partial mitigation. But the risk engine's slippage, leverage, and market eligibility checks exist precisely because on-chain invariants alone are insufficient to prevent bad trades, the backend signs offers that the contract trusts, so a badly-checked offer translates to real financial exposure.
Impact
Complete bypass of the risk engine in non-production environments. If dev infrastructure shares signing keys or CLOB accounts with production, this enables unrestricted leveraged trading.
Recommendation
Restrict bypassChecks to admin API keys only. Even in dev, apply minimum safety guards (notional caps).
Resolution
Resolved, the bypassChecks query parameter and the isSandbox bypass branch have been removed from offer creation; every environment now enforces the full check set.
