Bug Name
No Leverage Value Validation Allows Dangerous Leverage Settings
Attack Scenario
change_leverage() accepts leverage:int documented as 1-125 but performs zero validation. check_required_parameters only checks not-empty. leverage=0, 200, 1.5, or -10 all pass the check and get signed and sent.
Impact
In leveraged futures trading, accidentally setting 125x leverage instead of 12x (typo or off-by-one) could result in immediate liquidation on minor price movements. No client-side safety net for this critical parameter.
Components
Files: /binance/um_futures/account.py lines 574-592, /binance/cm_futures/account.py lines 520-539. Validation in utils.py line 20-22.
Reproduction
- Call change_leverage(symbol='BTCUSDT', leverage=200).
- Request passes client validation and is signed.
- Only rejected by server with cryptic error message.
Fix
Add range validation: if not isinstance(leverage, int) or leverage < 1 or leverage > 125: raise ParameterValueError. Add max_leverage configuration parameter.
Details
Finding ID: M-02
Severity: Medium
Researcher: Independent Security Researcher -- Mefai Security Team
Bug Name
No Leverage Value Validation Allows Dangerous Leverage Settings
Attack Scenario
change_leverage() accepts leverage:int documented as 1-125 but performs zero validation. check_required_parameters only checks not-empty. leverage=0, 200, 1.5, or -10 all pass the check and get signed and sent.
Impact
In leveraged futures trading, accidentally setting 125x leverage instead of 12x (typo or off-by-one) could result in immediate liquidation on minor price movements. No client-side safety net for this critical parameter.
Components
Files: /binance/um_futures/account.py lines 574-592, /binance/cm_futures/account.py lines 520-539. Validation in utils.py line 20-22.
Reproduction
Fix
Add range validation: if not isinstance(leverage, int) or leverage < 1 or leverage > 125: raise ParameterValueError. Add max_leverage configuration parameter.
Details
Finding ID: M-02
Severity: Medium
Researcher: Independent Security Researcher -- Mefai Security Team