Critical Findings

Lack of Access Control

Severity: Critical

Ecosystem: Sui

Protocol: Aftermath Market Making

Auditor: OtterSec

Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Jan 2025

Description:

Critical access control flaw where a sensitive function is improperly exposed. Since it is not restricted to package-level visibility, an attacker can directly modify trade data and balances, potentially disrupting core protocol operations.

Preventing Minting via Front-Running Payload

Severity: Critical

Ecosystem: Sui

Protocol: Lombard Finance

Auditor: OtterSec

Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Feb 2025

Description:

The minting function is publicly accessible, allowing an attacker to front-run other users’ transactions. This enables malicious actors to manipulate minting order and potentially capture unfair rewards.

Access Control in common_config.move

Severity: Critical

Ecosystem: Unknown

Protocol: Project Z

Auditor: MoveJay

Report: https://github.com/Jayfromthe13th/Project-Z-Security-Audit-Report/blob/Wallet/audit.md

Report Date: 2024

Description:

The resource_signer function in common_config.move is crucial for generating, saving, and retrieving resource accounts, which are used for token storage in other modules. This function's unrestricted access poses a significant security risk.

Missing AC Check

Severity: Critical

Ecosystem: Binance Smart Chain

Protocol: AquaSwap

Auditor: MoveJay

Report: https://github.com/Jayfromthe13th/AuquaSwap-Audit-/blob/Wallet/Audit%20report.md

Report Date: 2024

Description:

The revoke_trade function does not make any assertion that the signer is the owner of the trade before being able to cancel the trade and transfer assets to the caller.

create_pool Function Is Lack Of Permission Checking

Severity: Critical

Ecosystem: Sui

Protocol: Dola

Auditor: MoveBit

Report: https://movebit.xyz/reports/Dola-Protocol-Final-Audit-Report.pdf

Report Date: Feb 2024

Description:

The lack of permission checks on the create_pool function allows anyone to call the function to create a pool, which is inconsistent with the design of the protocol. At the same time, convert_pool_to_dola converts the pool's CoinType to dola_address, which can allow users to create the same pool at will, which can result in a fake deposit or withdraw message being delivered by the bridge.

Missing Permission Validation

Severity: Critical

Ecosystem: Sui

Protocol: Navi

Auditor: MoveBit

Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Navi-Smart-Contract-Audit-Report.pdf

Report Date: July 2023

Description:

The withdraw function lacks access control, allowing anyone to withdraw any amount from any address.

Function Visibility Error

Severity: Critical

Ecosystem: Sui

Protocol: Navi

Auditor: MoveBit

Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Navi-Smart-Contract-Audit-Report.pdf

Report Date: July 2023

Description:

The increase_supply_function and borrow_reserve_mul functions are public, allowing unauthorized users to modify storage data and manipulate return values, potentially breaking contract functionality.

Missing Test Comments

Severity: Critical

Ecosystem: Sui

Protocol: SuiPad

Auditor: MoveBit

Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/SuiPad-Smart-Contract-Audit-Report.pdf

Report Date: Apr 2023

Description:

Test code is not properly restricted with #[test_only], allowing anyone to run these functions and gain admin privileges.

Missing MeterCapability Check

Severity: Critical

Ecosystem: Aptos

Protocol: Argo

Auditor: OtterSec

Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Oct 2022

Description:

The MeterCap type is not unique in the add_meter_cap_usage and sub_meter_cap_usage functions. Anybody is able to create a GlobalMeter and claim the corresponding MeterCap. Note that MeterCap’s id would overlap with an existing id on the namespace, allowing a malicious user to essentially forge a MeterCap.

Broken Liquidation Access Control

Severity: Critical

Ecosystem: Aptos

Protocol: Argo

Auditor: OtterSec

Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Oct 2022

Description:

Access control between argo_liquidate and argo_engine is enforced through the use of a LiquidateFeature capability. Unfortunately, this capability access control requirement is not enforced on liquidate_repay.

Critical Access Control Check

Severity: Critical

Ecosystem: Aptos

Protocol: Eternal Finance

Auditor: OtterSec

Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Jan 2023

Description:

In common_config.move, the resource_signer function is utilized to obtain the signer from the signer capability that is stored in the resource based on the provided seed. This function is employed by other modules to generate, save, and retrieve resource accounts. Since the created resource account is used to store tokens in other modules, it is crucial that only the protocol modules can access this function.

set_interest_updated Will Set Arbitrary Timestamp

Severity: Critical

Ecosystem: Sui

Protocol: Superposition

Auditor: MoveBit

Report: https://movebit.xyz/reports/Superposition-Final-Audit-Report.pdf

Report Date: Mar 2024

Description:

set_interest_updated is a public function that can be called by anyone to set the broker.interest_updated_at to any timestamp they want.