High Findings
Permissionless Order Fulfillment Before Penalty Period
Severity: High
Ecosystem: Sui
Protocol: Mayan Sui
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date:
Description:
The order fulfillment function lacks proper access control. The ownership check assert!(msg_driver == ctx.sender(), EInvalidDriver) is enforced only during the penalty period, allowing unauthorized users to fulfill orders outside this window.
Missing Owner Check
Severity: High
Ecosystem: Sui
Protocol: Aftermath Orderbook
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date:
Description:
Within account, create_stop_order_ticket generates a StopOrderTicket and transfers it to a specified recipient. During the creation process, it designates the user_address field of the ticket to tx_context::sender(ctx), reflecting the address of the initiating caller. Consequently, it transfers the ticket to a recipient without validating if the caller (tx_context::sender(ctx)) is the legitimate owner of the account_id within encrypted_details.
suifren_update_last_epoch_mixed allows users to bypass checks during the mix
Severity: High
Ecosystem: Sui
Protocol: Mysten Labs Sui
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date:
Description:
Since the function is public, users may set an arbitrary value for last_epoch_mixed and bypass the checks in capy_labs::mix.
Lack of UpgradeCap id checking
Severity: High
Ecosystem: Sui
Protocol: Dola
Auditor: MoveBit
Report: https://movebit.xyz/reports/Dola-Protocol-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
The activate_governance function does not do a check on the source and type of the upgrade_cap, resulting in the user being able to pass in any module's UpgradeCap object to activate the governance.
create_proposal Has No Permission control
Severity: High
Ecosystem: Sui
Protocol: Dola
Auditor: MoveBit
Report: https://movebit.xyz/reports/Dola-Protocol-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
Any user being able to create a proposal and vote for their own proposal, and being able to get GovernanceCap after a successful call to vote_proposal, resulting in a malicious user being able to gain access to the protocol.
Variable Return Value in Public Function
Severity: High
Ecosystem: Sui
Protocol: Cetus Farming
Auditor: MoveBit
Report: https://movebit.xyz/reports/Cetus-Farming-Smart-Contract-Final-Audit-Report.pdf
Report Date: Jan 2024
Description:
The function borrow_mut_pool_share returns a mutable reference to a value, which refers to the key pool in manager.pool_shares. Consequently, the value corresponding to this key- pool_share , can be modified by anyone, leading to errors in the contract when calculating accumulate_pool_reward . And the function borrow_mut_clmm_position has the same issue.
Missing Permission Verification
Severity: High
Ecosystem: Sui
Protocol: Talofa Corporation
Auditor: MoveBit
Report Date: May 2023
Description:
These functions do not check caller permissions, and the Gear owner can change the parameter configuration of Gear and Skill.
threshold can’t be modified
Severity: High
Ecosystem: Sui
Protocol: Legend of Arcadia
Auditor: MoveBit
Report Date: Jun 2023
Description:
The value of threshold is set to 1 every time it is initialized, and there is no interface to modify the value of threshold, resulting in one person can control the entire MultiSignature, and anyone has the highest authority.
Incorrect Function Visibility
Severity: High
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description:
The add_investor and close functions are public, allowing anyone to modify the whitelist or close the campaign.
Incorrect Function Visibility
Severity: High
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description:
update_last_distribution_timestamp is public, allowing stakers to manipulate the timestamp and cause staker to not send penalties to receiver.
Security Level Constraint Can Be Circumvented
Severity: High
Ecosystem: Sui
Protocol: BucketV2
Auditor: Quantstamp
Report Date: Aug 2025
Description:
The update_position() function throws an error depending on the user's operation and the vault's security level. It is intended that if the user wants to deposit collateral, the user is allowed if the security level is 0 or 2; if the user wants to withdraw collateral, repay a debt, or borrow, the security level must be 0. However, it is possible to withdraw collateral, repay a debt, or borrow even if the security level is 2: the user simply needs to include a deposit amount with their call of update_position(). This way, the security level access control is circumvented.
The Distinction is Lacking When Setting Admin And treasury_address
Severity: High
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
Lacking differentiation between role types can result in a situation where the recipient of treasury_address calling the function claim_admin_previliges() can make themselves the admin, and vice versa. This role confusion might lead to significant losses in the contract.
Lack of Access Control
Severity: High
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The cancel_admin_previliges and cancel_treasury_previliges functions lack any form of access control. This implies that anyone can directly cancel any pending privileges.
Permission Conflict
Severity: High
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The presence of multiple simultaneous pending admin and treasury privileges can result in permission conflicts. For instance, if two pending admin privileges coexist, both have the ability to invoke the claim_admin_previliges function to acquire permissions. This scenario can lead to the loss of permissions for another admin, causing a conflict in permissions.
The Admin is Unable to Update the Liquidity Fee and Treasury Fee
Severity: High
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The swap_v2.set_dex_liquidity_fee() function is marked as public(friend), indicating that it is accessible to modules declared as "friends" of the current module.
However, in the protocol, only baptswap_v2::router_v2 is declared as a friend.
The issue arises because the router_v2 contract does not invoke the set_dex_liquidity_fee() method, preventing the protocol from updating the liquidity fee. The function ser_dex_treasury_fee() set_individual_token_team_fee() and set_individual_token_liquidity_fee() also face a similar issue.
Single-step Ownership Transfer Can be Dangerous
Severity: High
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
Single-step ownership transfer means that if a wrong address was passed when transferring ownership or admin rights it can mean that role is lost forever. If the admin permissions are given to the wrong address within this function, it will cause irreparable damage to the contract.
Set Functions Lack of Access Control
Severity: High
Ecosystem: Aptos
Protocol: Superposition
Auditor: MoveBit
Report: https://movebit.xyz/reports/Superposition-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
The set_tenant_pause and set_tenant_liquidation_fee_address functions have no access controls, allowing anyone to set arbitrary numbers, take the profits of interest rates, etc.
Anyone can reset initial price of pool
Severity: High
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
reset_init_price is a public function.