Medium Findings

Admin Privilege Abuse (Centralization Risk)

Severity: Medium

Ecosystem: Sui

Protocol: MoviePass Exchange -MSX Smart Contracts

Auditor: Certora

Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/03_02_2025_MoviePass_MSX-MR.pdf

Report Date: Feb 2025

Description:

Admin can control any user’s custodial pool, posing a serious risk if the admin account is compromised.

Oracle Centralization Risk

Severity: Medium

Ecosystem: Sui

Protocol: Typus Finance

Auditor: MoveBit

Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Typus-Finance-Smart-Contract-Audit-Report.pdf

Report Date: Apr 2023

Description:

All prices rely on typus_oracle::oracle; if its private key is compromised, attackers could manipulate prices. Mitigation: use a multisig-controlled oracle, verify return values, or integrate a trusted third-party oracle.

Centralization Risk

Severity: Medium

Ecosystem: Sui

Protocol: Navi

Auditor: MoveBit

Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Navi-Smart-Contract-Audit-Report.pdf

Report Date: July 2023

Description:

Multiple admin functions present centralization risk; acknowledged and mitigated by adopting a multi-sig wallet.

Centralization Risk

Severity: Medium

Ecosystem: Sui

Protocol: Aries Market

Auditor: MoveBit

Report:

Report Date: June 2023

Description:

Single immutable admin account poses centralization risk; recommend replacing with a multi-sig account.

Excessive Priviledge Concentration

Severity: Medium

Ecosystem: Aptos

Protocol: Yeap Finance

Auditor: SlowMist

Report: https://github.com/slowmist/Knowledge-Base/blob/master/open-report-V2/smart-contract/aptos-smart-contract/yeap-finance%20-%20SlowMist%20Audit%20Report.pdf

Report Date: July 2025

Description:

A single governance entity holds nearly unlimited permissions and can arbitrarily modify key protocol parameters, lacking effective checks and balances.

Excessive Administrator Privileges in update_team_reward Function

Severity: Medium

Ecosystem: Aptos

Protocol: TokimonsterAI

Auditor: ExVul

Report: https://github.com/ExVul-Sec/AuditReport/blob/main/Smartcontract/TokimonsterAI%20Smarat%20Contract%20Audit%20Report-Exvul.pdf

Report Date: May 2025

Description:

The update_team_reward function allows unrestricted admin control to change the team_reward parameter at any time.

Centralization Risk

Severity: Medium

Ecosystem: Aptos

Protocol: Thala Labs Aptos Dollar

Auditor: Zellic

Report: https://github.com/Zellic/publications/blob/master/Thala%20Labs%20Move%20Dollar%20-%20Zellic%20Audit%20Report.pdf

Report Date: Oct 2022

Description:

Protocol managers can control oracle price, initialize vaults and CoinTypes used in protocol, and control the minimum collateralization ratio and redemption fees.

The admin account can freeze any user’s account

Severity: Medium

Ecosystem: Aptos

Protocol: AptoPad

Auditor: MoveBit

Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/AptoPad-Aptos-Contracts-Audit-Report.pdf

Report Date: Feb 2023

Description:

Admin can block withdrawals and transfers of APD coins, granting excessive control and creating a significant centralization risk.