Medium Findings
Miscalculation Due to Negative Withdrawal Amount
Severity: Medium
Ecosystem: Sui
Protocol: Aftermath
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2025
Description:
Negative p/l on a short position will cause amount_to_withdraw to be negative.
Risk of Negative Margin Calculation
Severity: Medium
Ecosystem: Sui
Protocol: Aftermath
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2025
Description:
May return negative margin causing issues in vault.
Assertion Failure Due to Rounding
Severity: Medium
Ecosystem: Sui
Protocol: Solend Steamm
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
Due to the presence of roundings during the conversion between cTokens and underlying tokens, the product of ctoken_amount and the deployed funds often exceeds the product of the bank’s total CTokens and recalled amount, failing the assertion check and resulting in frequent aborts.
Division by Zero in Committee Selection
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
In staking_inner::select_committee_and_calculate_votes, a division by zero may occur when calculating capacity_vote if weight is zero, as the calculation of capacity_vote divides the product of node_capacity and the number of shards with weight.
Abort via Large Node Capacity Value
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
Overflow in capacity_vote calculation caused by maliciously set node_capacity.
Utilization of Incorrect Commission Rate
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
The updated commission rate is intended for future epochs and not for the current epoch. Thus, it will result in an incorrect calculation of the operator’s commission.
Possible Overflow Due to Exceeding the Type Limit
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Republic Security Token
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
Specifically, when multiplying two large u64 values, such as self.total_funds and snapshot.address_balance(addr), the result may exceed the maximum value for u64, resulting in an overflow.
Fee Accounting Inconsistency
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Deepbook V3
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
When the user chooses to pay the fee in DEEP, deep_quantity is calculated from fee_quantity. However, if deep_quantity turns out to be 0, the fee may be incorrectly calculated in base or quote instead, resulting in the fee being paid in a way that does not match the user’s intention.
Share Price Inflation
Severity: Medium
Ecosystem: Sui
Protocol: BlueFin
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2024
Description:
In withdraw_from_vault, when a user withdraws funds, the share count vault.total_shares is appropriately reduced. However, a critical vulnerability arises as no corresponding adjustment occurs to vault_total_balance. Although vault_total_balance is calculated based on the current vault balance, it fails to account for the reduced shares resulting from the withdrawal. Consequently, the share price may experience temporary inflation, given that vault_total_balance remains unchanged despite the reduction in total shares.
Price Manipulation
Severity: Medium
Ecosystem: Sui
Protocol: Aftermath Orderbook
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2024
Description:
Currently, during the calculation of premium_twap and spread_twap, lip_max_book_index_spread confines the book_price within a range of plus five to negative five percent of the index_price. Nevertheless, it remains possible to influence the time-weighted average price by manipulating the mark_price within the same percentage range of the index_price.
Incorrectly Calculated Reward Period
Severity: Medium
Ecosystem: Sui
Protocol: Turbos
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2024
Description:
total_elapsed_time skipped if emission = 0.
Missing Tick Step Validation
Severity: Medium
Ecosystem: Sui
Protocol: Turbos
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2024
Description:
Overflow and abort since base_tick_step and limit_tick_step are user inputted.
Volume Overflow Risk
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Deepbook
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Aug 2024
Description:
Self-trading and flash loans can cause overflow.
Improper Order Quantity Calculation
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Deepbook
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Aug 2024
Description:
get_quantity_out and get_level2_range_and_ticks do not account for the remaining quantity of orders.
BigVector Size Overflow
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Deepbook
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Aug 2024
Description:
This is especially relevant due to the Sui Move runtime’s limitation on maximum object size, which is 256000 bytes. If the leaf objects in the BigVector exceed this limit, the Move runtime will throw an error, preventing the order book from functioning correctly.
Prevention of Pool Closure Due to Rounding
Severity: Medium
Ecosystem: Sui
Protocol: Hop Aggregator
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
max_amount_in and amount_out round down. Pool could remain in OPEN state, even though empty.
Withdrawals from staking pools may result in rounding errors, which results in lost rewards
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Labs Sui
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
Rounding down issue, if user attempts to withdraw small number of tokens, could round down to nothing.
Precision Loss In Redistribution
Severity: Medium
Ecosystem: Sui
Protocol: Bucket
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
Since the accumulators are not factored by some value, directly dividing the collateral and debt amounts with total stake leads to less precise rounded-down values, which the accumulators add and lead to imprecise accumulation.
Improper Tank Value Update
Severity: Medium
Ecosystem: Sui
Protocol: Bucket
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
start_s and start_g incorrectly updated.
Overflow In Calculation Of Delta A
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2023
Description:
The numberator value is not validated before running u256::shlw on it. As a result, the non-zero bytes might be removed, which leads to an incorrect calculation of the value.
Precision Loss Issue In Weighted Math
Severity: Medium
Ecosystem: Aptos
Protocol: Thala Labs
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2023
Description:
In the math module, the calculation of the amount taken in during a swap is based on the amount given out, the balances in the pool, and the weights of the assets. calc_in_given_out_internal is responsible for this calculation, which involves using log_exp_math::pow to perform the required exponentiation. log_exp_math::pow used by calc_in_given_out_internal is vulnerable to precision errors, which may return incorrect values. For instance, the function may incorrectly calculate 1.0000000002 ** 1 = 1.0. This precision issue can be exploited in calc_in_given_out_internal, leading to a return value of zero despite a non-zero amount_out value.
Improper Price Deviation Calculation Formula
Severity: Medium
Ecosystem: Aptos
Protocol: Thala Labs
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2023
Description:
get_price_diff_ is responsible for computing price deviation. However, to calculate the percentage of price deviation, the formula should be (diff(new_price, old_price) / old_price) * 100. The current implementation uses new_price as the denominator if new_price > old_price. Use b (old_price) as the denominator in both cases.
Including Interest In Vault CR Calculation
Severity: Medium
Ecosystem: Aptos
Protocol: Thala Labs
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2023
Description:
redeem_collateral and liquidate calculate the collateral ratio (CR) for a vault, however CR is calculated without considering the vault.interest, leading to the use of an incorrect CR value in other calculations.
Incorrect Withdraw Fee Calculation On Update
Severity: Medium
Ecosystem: Aptos
Protocol: Steamflow
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Mar 2023
Description:
In protocol::update, the change in the amount_per_period triggers an additional fee calculation using withdrawal_fees based on contract.start. However, using the start time for fee calculation results in the fee being recalculated for the period.
Improper Fee Amount Calculation With Zero Fees
Severity: Medium
Ecosystem: Aptos
Protocol: Steamflow
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Mar 2023
Description:
protocol::fee_amount is used to calculate the fee for a given amount using the input parameter fees as basis points (bps). However, the case of fees == 0 incorrectly returns the total amount as the fee. Instead, the function should check for fees == 10000 to return the total amount as the fee correctly.
Precision Loss Issue In Weighted Math
Severity: Medium
Ecosystem: Aptos
Protocol: Thala
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
log_exp_math::pow used by calc_in_given_out_internal is vulnerable to precision errors, which may return incorrect values.
Improper Price Deviation Calculation Formula
Severity: Medium
Ecosystem: Aptos
Protocol: Thala
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
get_price_diff_ is responsible for computing price deviation. However, to calculate the percentage of price deviation, the formula should be (diff(new_price, old_price) / old_price) * 100. The current implementation uses new_price as the denominator if new_price > old_price. Use b (old_price) as the denominator in both cases.
Including Interest In Vault CR Calculation
Severity: Medium
Ecosystem: Aptos
Protocol: Thala
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
These functions do not account for the updated interest of the vault when calculating the CR. As a result, the CR is calculated without considering the vault.interest, leading to the use of an incorrect CR value in other calculations.
Incorrect Liquidity Calculation
Severity: Medium
Ecosystem: Aptos
Protocol: Aries Markets
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2024
Description:
The issue in get_borrow_rate may result in miscalculated utilization ratios and lower interest rates for borrowers than intended. The function currently calculates total_liquidity by adding the reserve_amount (unborrowed reserve funds) to the sum of total_borrowed and decimal::from_u128(total_cash), which is incorrect. The utilization ratio is calculated by dividing total_borrowed by total_liquidity. With the incorrect calculation, the total_liquidity is overestimated because the reserve_amount is added instead of subtracted, lowering the utilization ratio.
Removal Of Incorrect Debt Shares
Severity: Medium
Ecosystem: Aptos
Protocol: Meso Lending
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: July 2023
Description:
In lending_pool, DUST_THRESHOLD is utilized to completely remove any position with remaining shares less than DUST_THRESHOLD. Consequently, when a user’s remaining debt shares fall below the DUST_THRESHOLD in repay, the function completely removes the user’s debt shares (as shown in the code snippet below). This removal effectively cancels any remaining debt the user has, resulting in a potential giveaway of free money, since the user no longer owes anything even though they might have an outstanding debt.
Interest Accrual Mismatch
Severity: Medium
Ecosystem: Aptos
Protocol: Meso Lending
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: July 2023
Description:
If the user deposits the repayment into a different pool via deposit_internal, interest is not accrued for the repayment pool before the deposit is made, as highlighted in the code below. This results in an inconsistent state because, while the borrowing pool’s state is updated to reflect the most recent accrued interest, the repayment pool’s state may not reflect the most recent accrued interest since accrue_interest is not called for this pool in end_flashloan.
Inconsistency In Debt Repaid And Collateral Seized
Severity: Medium
Ecosystem: Aptos
Protocol: Meso Lending
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: July 2023
Description:
During liquidation, the liquidator specifies the repayment amount to be repaid on behalf of the liquidatee, and a fungible asset of that amount is provided as an argument to repay. repay utilizes calculate_shares to determine the exact number of shares to repay, rounding down in cases of non-perfect division. As a result, the liquidatee’s debt reduction may be less than the original fungible asset amount ( repaid_amount ). However, all subsequent calculations rely on the repaid_amount variable to determine the number of shares transferred from the liquidatee to the liquidator.
Investor Limit Calculation Error
Severity: Medium
Ecosystem: Aptos
Protocol: Aptos Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
max_us_investors_percentage is not considered when calculating the U.S. investors’ limit. The U.S. investors’ limit is intended to restrict the percentage of U.S. investors relative to the total number of investors. Not incorporating the max_us_investors_percentage implies that the actual cap on U.S. investors may exceed the intended compliance threshold
Rounding Error in Delegation Pool
Severity: Medium
Ecosystem: Aptos
Protocol: Kofi Finance Contacts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2025
Description:
The majority of delegation_pool operations contain small rounding errors that affect delegators. When unlocking stake (undelegating) from a delegation pool, the amount unlocked may be slightly less than the requested amount. Similarly, during staking, users deposit a specific amount of APT in exchange for a calculated number of shares, but due to rounding during the conversion, the actual stake increase may be slightly less than the input amount. For example, a user may delegate x APT , but only x-1 APT is effectively staked.
The Value of 0 for Both States
Severity: Medium
Ecosystem: Sui
Protocol: ABEx Labs
Auditor: MoveBit
Report: https://movebit.xyz/reports/Abex-Smart-Contract-Audit-Report.pdf
Report Date: Aug 2023
Description:
When the result of a calculation is 0, the state of the returned sRate is negative, which may result in two states of 0, positive 0 and negative 0. The same problem exists for add and sub. The same applies to sdecimal.
Collateral may be insufficient when repaying
Severity: Medium
Ecosystem: Sui
Protocol: Bucket Protocol
Auditor: MoveBit
Report Date: Jun 2023
Description:
When calling record_repay_capped, amount of collateral calculated for repay may exceed collateral_amount. This results in bottle.collateral_amount is less than the returned amount of collateral return_sui_amount.
Incorrect Data in Event
Severity: Medium
Ecosystem: Sui
Protocol: Turbos Finance-TurboStar
Auditor: MoveBit
Report Date: May 2023
Description:
Calculation error in claim function, quantity is always 0.
Calculation Formula Error
Severity: Medium
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: Apr 2023
Description:
delivery_value_per_unit is expressed as delivery_price * o_token precision and then divides the precision of b_token. When L304 calculates delivery_value, the precision of b_token is divided, resulting in a logic error.
Timelock overflow in Default Maven struct
Severity: Medium
Ecosystem: Sui
Protocol: MSafe Maven
Auditor: MoveBit
Report Date: Apr 2023
Description:
If no other operations are created through operation, time lock = MAX_U64. If proposal is initiated at this time and approved, calling start_permission_recovery > order_timelock::start_timelock_order > timelock::new will cause an overflow and crash.
Sqrt function precision error
Severity: Medium
Ecosystem: Sui
Protocol: Sui AMM Swap
Auditor: MoveBit
Report Date: Nov 2022
Description:
Incorrect calculation on add_liquidity function. Lp tokens should be square root of the multiplication of two tokens, but current code takes the square first, then multiplying.
Calculation of reward and point May Be Inaccurate
Severity: Medium
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Mar 2023
Description:
pool::collect_reward, pool::calculate_and_update_rewards, and pool::calculate_and_update_points do not recaculate rewards except in some special cases. This can lead to inaccurate reward and point calculations.
Early withdrawal penalty bypass by chunking withdrawal amount
Severity: Medium
Ecosystem: Aptos
Protocol: Propbase
Auditor: Hacken
Report: https://hacken.io/audits/propbase/sca-propbase-staking-feb2024/
Report Date: Feb 2024
Description:
The Propbase protocol uses $PROPS token for staking operations. The protocol distributes staking rewards as $PROPS to stakeholders. In addition, admin of the protocol sets a penalty_rate during the pool creation. The penalty rate amount can be set between 1 and 50. The purpose of this variable is to penalize early withdrawals.
The penalty calculation can be seen at below:
let penalty = amount / 100 * stake_pool_config.penalty_rate;
Currently, there is no lower bound for withdraw amount in the code. Therefore, it is possible to chunk the total withdraw amount by 99 in order to bypass this penalty according to the formula above.
let penalty = 99 / 100 * stake_pool_config.penalty_rate (0-50);
penalty = 0;
As a result, it is possible to bypass the early withdrawal penalty due to this precision loss.
Incorrect Fee Calculation in Quoter Function Leads to Underestimated Input Amounts
Severity: Medium
Ecosystem: Sui
Protocol: Magma DEX
Auditor: Three Sigma
Report: https://cdn.sanity.io/files/qoqld077/staging/9566473c444a6cfd99c7a6556fa4857950b41de3.pdf
Report Date: July 2025
Description:
The almm_pair::get_swap_in function serves as a quoter function that calculates the required input amount for a given output amount in the ALMM protocol. This function is critical for frontend applications to provide accurate swap quotes and enable proper slippage calculations. The function iterates through bins to calculate the total input amount needed for a desired output. For each bin, it calculates amount_in_without_fee based on the bin's price and then adds the fee amount. However, the function incorrectly uses fee::get_fee_amount_from instead of fee::get_fee_amount for fee calculations.
Unstaking from LP pools will cause underflow and lock user funds
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
If the last pool is empty or with insufficient funds an underflow will occur.
The liquidator will incur a loss when performing liquidationCall
Severity: Medium
Ecosystem: Aptos
Protocol: AAVE V3
Auditor: Cantina Contest SRs
Report: https://cantina.xyz/code/ad445d42-9d39-4bcf-becb-0c6c8689b767/findings/192
Report Date: Jun 2025
Description:
ccording to the Aave documentation, the liquidation_bonus must be above 100%.
However, the current calculations result in values below 100% :
(5 * math_utils::get_percentage_factor()) / 100*// (5 * 10000) / 100 = 500* (85 * math_utils::get_percentage_factor()) / 1000*// (85 * 10000) / 1000 = 850*
These values are far below the expected minimum of 10000 (which represents 100%). To be valid, the value must be greater than 10000.
Incorrect Calculation of share_proportion
Severity: Medium
Ecosystem: Aptos
Protocol: Echelon
Auditor: Zellic
Report Date: Jan 2025
Description:
asset_amounts * BPS_BASE / deposit_amounts will not properly calculate the percentage of the deposit. Currently, the number of users is divided by the total number of tokens, so the exact ratio is not calculated.
The operator can Evade The Fees When Loaning Assets
Severity: Medium
Ecosystem: Aptos
Protocol: Amnis
Auditor: MoveBit
Report: https://movebit.xyz/reports/Amnis-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
The function pegging.loan_apt() allows the operator to withdraw funds from the protocol, but a certain fee is required when returning the funds. The fee calculation is as follows: math64::mul_div(amount, pegging().loan_fee, BPS_MAX) According to the protocol configuration, we found that loan_fee is 10, and BPS_MAX is 10000. When amount * 10 < 10000 , users will not have to pay any fees. Therefore, the operator can repeatedly borrow 999 to avoid the fees. It is recommended to set a minimum loan amount or to check if the fee is 0, in which case borrowing assets should not be allowed.
Rounding Errors Handling Is Not Best Practice
Severity: Medium
Ecosystem: Aptos
Protocol: Superposition
Auditor: MoveBit
Report: https://movebit.xyz/reports/Superposition-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
In both borrow and repay functions, a rounding handling increases amount by one. However, this brutal force method is not a good practice since it may add one extra layer to the rounding (if it is already rounded up).
Assert condition is not accurate
Severity: Medium
Ecosystem: Aptos
Protocol: Aries Market
Auditor: MoveBit
Description:
In decimal.move, an assert is provided to prevent overflow, but the conditions are not strict and U64_MAX * U64_MAX does not equal U128_MAX.
Improper Rounding
Severity: Medium
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: OtterSec
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Nov 2025
Description:
The calculation of delta_liquidity_share in bin::increase_liquidity utilizes floor division, which may round down small values to zero. This implies that users depositing small token amounts may not receive any liquidity shares, effectively losing their deposited funds.
Arithmetic Precision Errors
Severity: Medium
Ecosystem: Binance Smart Chain
Protocol: AquaSwap
Auditor: MoveJay
Report: https://github.com/Jayfromthe13th/AuquaSwap-Audit-/blob/Wallet/Audit%20report.md
Report Date: 2024
Description:
The calculate_protocol_fees function rounds down to zero for small order sizes, allowing users to bypass fees.
Arithmetic Errors – Overflow
Severity: Medium
Ecosystem: Binance Smart Chain
Protocol: AquaSwap
Auditor: MoveJay
Report: https://github.com/Jayfromthe13th/AuquaSwap-Audit-/blob/Wallet/Audit%20report.md
Report Date: 2024
Description:
Susceptibility to overflow errors can cause denial of service in various functions.