Critical Findings
Share Price Manipulation
Severity: Critical
Ecosystem: Sui
Protocol: Bluefin Spot
Auditor: OtterSec
Report: https://www.notion.so/a296e98838aa4fdb8f3b192663400772
Report Date: Nov 2024
Description: The bluefin_vault contract is vulnerable to rounding manipulation attacks due to improper handling of token-to-share conversion rates, allowing exploitation of precision errors in share valuation. Additionally, inconsistent conditions in the shares calculation logic may cause deposits to yield zero shares when vault balances are mismatched, leading to potential fund loss.
Interest Rate Calculation Error
Severity: Critical
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: Jul 2023
Description: The SECOND_PER_YEAR constant is sometimes incorrectly calculated with milliseconds, resulting in a value 1000 times larger than intended, causing significant interest rate miscalculations.
Numerical Precision Error
Severity: Critical
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description: In the repay function, the excess amount after repayment is returned through pool::withdraw, but excess_amount is not converted to decimal precision, causing incorrect amounts to be returned to users.
Flawed Validations Lead To Inaccuracies
Severity: Critical
Ecosystem: Sui
Protocol: Navi
Auditor: OtterSec
Report: https://www.notion.so/a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description: In validator.move, validation functions for lending operations use scaled balances (supply and borrow) in conjunction with unscaled amounts, leading to calculation inconsistencies and inaccuracies across multiple functions.
Improper Conversion
Severity: Critical
Ecosystem: Sui
Protocol: Bucket
Auditor: OtterSec
Report: https://www.notion.so/a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description: When repay_amount is greater than or equal to Bottle debt, the returned collateral is calculated as 1.1 times the debt amount. However, the debt amount is not adjusted based on the collateral token's decimals during conversion, resulting in improper collateral values (return_sui_amount).
Calculation Formula Error when Adding Liquidity
Severity: Critical
Ecosystem: Sui
Protocol: KriyaDEX
Auditor: MoveBit
Report Date: Apr 2023
Description: In the get_amount_for_add_liquidity function, the formula for obtaining the other token quantity through one token quantity is incorrect, directly affecting the liquidity addition functionality for users.
Incorrect Formula
Severity: Critical
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description: The amount_to_refund calculation should also be divided by DecimalPrecision after being multiplied by it, preventing precision loss in refund amounts.
remove_liquidity does not call update_rewarder
Severity: Critical
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
remove_liquidity does not call update_rewarder which will cause reward cumulative error.
Broken Stable Curve Math
Severity: Critical
Ecosystem: Aptos
Protocol: Pontem (Liquidswap)
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Sep 2025
Description:
The liquidity_pool::compute_and_verify_lp_value function, checks if the lp value is the same before and after a swap. When dealing with a stable curve, the lp value before the swap, is calculated incorrectly.
Overflow In Calculating Delta B
Severity: Critical
Ecosystem: Sui
Protocol: Cetus
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2023
Description:
The function get_delta_b is used to calculate the amount_b for specified liquidity. However, its implementation relies on the assumption that themultiplication ofliquidityandsqrt_price_diff returns the value < 2**128 which does not require to be true.