Skip to content

chore(runway): cherry-pick fix(perps): potential rate limit on close positions cp-7.63.0 cp-7.64.0 cp-7.62.2#25457

Merged
joaoloureirop merged 1 commit intorelease/7.64.0from
runway-cherry-pick-7.64.0-1769796118
Jan 30, 2026
Merged

chore(runway): cherry-pick fix(perps): potential rate limit on close positions cp-7.63.0 cp-7.64.0 cp-7.62.2#25457
joaoloureirop merged 1 commit intorelease/7.64.0from
runway-cherry-pick-7.64.0-1769796118

Conversation

@runway-github
Copy link
Contributor

@runway-github runway-github bot commented Jan 30, 2026
edited by cursor bot
Loading

Description

Complete the 429 rate limiting fix for position management operations.
The previous fix (commit 425beaead7) only addressed
updatePositionTPSL(). This PR extends the fix to closePosition(),
closePositions(), and updateMargin() methods.

Problem: These methods were using skipCache: true which forced
REST API calls on every operation, leading to 429 rate limiting errors
during prolonged app usage.

Solution:

  • Remove skipCache: true from closePositions() and updateMargin()
    to use WebSocket cache
  • For closePosition(), add optional position parameter so callers
    can pass the live WebSocket position directly, avoiding the need to
    fetch positions entirely
  • Update usePerpsClosePosition hook to pass the position it already
    has

Changelog

CHANGELOG entry: Fixed rate limiting errors (429) when closing positions
or updating margin after prolonged app usage

Related issues

Fixes: Rate limiting issues during position close/margin update
operations

Manual testing steps

Feature: Position close without rate limiting

  Scenario: User closes position after prolonged usage
    Given user has the app open for extended period (>30 minutes)
    And user has an open perps position

    When user closes the position
    Then the position closes successfully without 429 errors

  Scenario: User updates margin after prolonged usage
    Given user has the app open for extended period (>30 minutes)
    And user has an open perps position with isolated margin

    When user adjusts the margin
    Then the margin updates successfully without 429 errors

  Scenario: User closes all positions
    Given user has multiple open perps positions

    When user uses "close all positions" feature
    Then all positions close successfully without rate limiting errors

Screenshots/Recordings

Before

N/A - Bug fix for rate limiting, no UI changes

After

N/A - Bug fix for rate limiting, no UI changes

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the
    app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described
    in the ticket it closes and includes the necessary testing evidence such
    as recordings and or screenshots.

Note

Medium Risk
Changes core position-management flows to rely on cached/WebSocket position data and a new optional parameter; incorrect or stale position inputs could cause closes/margin updates to target the wrong size/symbol, though fallbacks remain.

Overview
Prevents 429 rate limiting in HyperLiquid position-management by stopping forced REST refreshes (skipCache: true) in closePositions() and updateMargin(), and relying on cached/WebSocket-backed getPositions().

Extends closePosition() to accept an optional live position object (and updates usePerpsClosePosition + tests to pass it) so closes can skip fetching positions entirely when the caller already has up-to-date WebSocket data.

Written by Cursor Bugbot for commit 391e90b. This will update automatically on new commits. Configure here.

Co-authored-by: Michal Szorad michal.szorad@consensys.net 6f89dec

@abretonc7s @michalconsensys
chore(runway): cherry-pick fix(perps): potential rate limit on close …
391e90b 
…positions cp-7.63.0 cp-7.64.0 cp-7.62.2 (#25438)

## **Description**

Complete the 429 rate limiting fix for position management operations.
The previous fix (commit `425beaead7`) only addressed
`updatePositionTPSL()`. This PR extends the fix to `closePosition()`,
`closePositions()`, and `updateMargin()` methods.

**Problem:** These methods were using `skipCache: true` which forced
REST API calls on every operation, leading to 429 rate limiting errors
during prolonged app usage.

**Solution:**
- Remove `skipCache: true` from `closePositions()` and `updateMargin()`
to use WebSocket cache
- For `closePosition()`, add optional `position` parameter so callers
can pass the live WebSocket position directly, avoiding the need to
fetch positions entirely
- Update `usePerpsClosePosition` hook to pass the position it already
has

## **Changelog**

CHANGELOG entry: Fixed rate limiting errors (429) when closing positions
or updating margin after prolonged app usage

## **Related issues**

Fixes: Rate limiting issues during position close/margin update
operations


## **Manual testing steps**

```gherkin
Feature: Position close without rate limiting

  Scenario: User closes position after prolonged usage
    Given user has the app open for extended period (>30 minutes)
    And user has an open perps position

    When user closes the position
    Then the position closes successfully without 429 errors

  Scenario: User updates margin after prolonged usage
    Given user has the app open for extended period (>30 minutes)
    And user has an open perps position with isolated margin

    When user adjusts the margin
    Then the margin updates successfully without 429 errors

  Scenario: User closes all positions
    Given user has multiple open perps positions

    When user uses "close all positions" feature
    Then all positions close successfully without rate limiting errors
```

## **Screenshots/Recordings**

### **Before**

N/A - Bug fix for rate limiting, no UI changes

### **After**

N/A - Bug fix for rate limiting, no UI changes

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches perps position-management flows (`closePosition`,
`closePositions`, `updateMargin`) and changes them to rely on
cached/WebSocket position data, which could surface edge cases if the
cache is stale or mismatched, but does not alter core order-placement
logic.
> 
> **Overview**
> Reduces 429 errors in perps position management by stopping forced
REST position refreshes during `closePositions` and `updateMargin`, and
by updating `closePosition` to accept an optional live `position`
payload (with a cache-based fallback).
> 
> Updates `usePerpsClosePosition` (and its tests) to pass the
already-available position through, avoiding extra `getPositions()`
calls during close flows.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
ccfc17e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Michal Szorad <michal.szorad@consensys.net>
@runway-github runway-github bot requested a review from a team as a code owner January 30, 2026 18:02
@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@metamaskbot metamaskbot added the team-bots Bot team (for MetaMask Bot, Runway Bot, etc.) label Jan 30, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - base branch is not main (base: release/7.64.0)

All E2E tests pre-selected.

View GitHub Actions results

cursor[bot]
cursor bot reviewed Jan 30, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

app/components/UI/Perps/controllers/providers/HyperLiquidProvider.ts
if (!position) {
const positions = await this.getPositions();
position = positions.find((pos) => pos.symbol === params.symbol);
}
Copy link

@cursor cursor bot Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No validation that provided position matches requested symbol

Medium Severity

When params.position is provided, the code uses it directly without validating that params.position.symbol matches params.symbol. The order is placed using params.symbol (line 4040), but position data like size and marginUsed comes from params.position. If a caller passes mismatched values, this could result in placing a close order with the wrong size or for the wrong symbol, potentially causing financial impact. While current callers pass matching data, the API contract permits this inconsistency.

Fix in Cursor Fix in Web

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 30, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
75.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@joaoloureirop joaoloureirop added the skip-sonar-cloud Only used for bypassing sonar cloud when failures are not relevant to the changes. label Jan 30, 2026
@joaoloureirop joaoloureirop enabled auto-merge (squash) January 30, 2026 19:53
@joaoloureirop joaoloureirop merged commit 68e7a87 into release/7.64.0 Jan 30, 2026
174 of 179 checks passed
@joaoloureirop joaoloureirop deleted the runway-cherry-pick-7.64.0-1769796118 branch January 30, 2026 19:53
@github-actions github-actions bot locked and limited conversation to collaborators Jan 30, 2026
@metamaskbot metamaskbot added the release-7.64.0 Issue or pull request that will be included in release 7.64.0 label Feb 3, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@joaoloureirop joaoloureirop joaoloureirop approved these changes

Assignees

No one assigned

Labels

release-7.64.0 Issue or pull request that will be included in release 7.64.0 size-S skip-sonar-cloud Only used for bypassing sonar cloud when failures are not relevant to the changes. team-bots Bot team (for MetaMask Bot, Runway Bot, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joaoloureirop @metamaskbot @abretonc7s