Medium Findings
Rewarder Emissions On Pool Assets Drain LP Liquidity
Severity: Medium
Ecosystem: Supra Network
Protocol: DexLyn Smart Contract
Auditor: HackenProof Contest SRs
Report: https://hackenproof.com/reports/DEXLYNCA-102
Report Date: Oct 2025
Description:
A malicious rewarder authority can therefore emit rewards denominated in the pool asset and claim them, directly draining LP capital while accounting invariants mask the shortfall.
Lack of Whitelist Control in Flash Loans
Severity: Medium
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: Jun 2023
Description:
borrow_flash_loan function missing whitelist control, any borrower can initiate flash loan.
Missing Permission Verification in fund function
Severity: Medium
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description:
Anyone can call the fund function and fund campaign.
Wrong event access permission
Severity: Medium
Ecosystem: Sui
Protocol: Sui AMM Swap
Auditor: MoveBit
Report Date: Nov 2022
Description:
Emit functions are public and can be called by anyone, could pretend to successfully call add_liquidity/remove_liquidity/swap and may cause logic errors in the other code.
Direct Invocation Risk in unstake_tokens() and claim_rewards() Functions in stake Module
Severity: Medium
Severity: High
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
It's advisable for this function to also use a friend function to control its invocation.
Initialize Function Lacks Privilege Control
Severity: Medium
Ecosystem: Aptos
Protocol: MoveGPT
Auditor: MoveBit
Report: https://movebit.xyz/reports/MoveGPT-Final-Audit-Report.pdf
Report Date: Apr 2024
Description:
The initialize function can be called by any user and passed any parameter.
Bad validation condition for function caller
Severity: Medium
Ecosystem: Aptos
Protocol: Aries Market
Auditor: MoveBit
Report Date: June 2023
Description:
controller::add_reserve currently asserts the caller must be the @aries address, preventing calls from other addresses set in controller::init. Replace with assert_is_admin(signer::address_of(account)) for proper admin verification.
Function visibility issue
Severity: Medium
Ecosystem: Aptos
Protocol: Transit Finance
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Transit-Finance-Audit-Report.pdf
Report Date: Nov 2022
Description:
emit_event_swap in aggregator module, is public and anyone can call it.
Deploy contract without multi-sig
Severity: Medium
Ecosystem: Aptos
Protocol: Transit Finance
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Transit-Finance-Audit-Report.pdf
Report Date: Nov 2022
Description:
Doesn't use a multi-sig contract for deployment.
Deploy contract without multi-sig
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
Doesn't use a multi-sig contract for deployment.
Lack of AC in Metadata Setters
Severity: Medium
Ecosystem: Sui
Protocol: Recrd
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2024
Description:
This allows anyone to invoke these setter functions to modify the metadata fields, resulting in unauthorized changes.