High Findings
Invalid Calculations; Data Consistency
Severity: High
Ecosystem: Sui
Protocol: Volo
Auditor: Hacken
Report: https://hacken.io/audits/volo/sca-volo-liquid-staking-aug2023/
Report Date: Sep 2023
Description:
In the remove_stakes loop, the requested_amount is not updated after each withdrawal, potentially leading to over-withdrawals or inconsistent withdrawal tracking.
Requirements Violation; Data Consistency
Severity: High
Ecosystem: Sui
Protocol: Volo
Auditor: Hacken
Report: https://hacken.io/audits/volo/sca-volo-liquid-staking-aug2023/
Report Date: Sep 2023
Description:
The sort_validators function fails to consistently sort validators by priority. Extremely large priority values are placed at the beginning or middle of the array unpredictably, violating the intended descending order requirement.
Inconsistent Handling of reward_fee
Severity: High
Ecosystem: Sui
Protocol: Volo
Auditor: MoveBit
Report: https://movebit.xyz/reports/Volo-Smart-Contract-Audit-Report.pdf
Report Date: Oct 2023
Description:
In the update_rewards function, the total_rewards set by the set_rewards_unsafe function includes reward_fee, but in line 581 of the unstake_amount_from_validators function sub_rewards_unsafe(self, rewards - reward_fee) subtracts reward_fee.
Inconsistent Deduction Logic in remove_stakes Function
Severity: High
Ecosystem: Sui
Protocol: Volo
Auditor: MoveBit
Report: https://movebit.xyz/reports/Volo-Smart-Contract-Audit-Report.pdf
Report Date: Oct 2023
Description:
In the remove_stakes function, when the condition of L184 is not satisfied, the logic of L188-L191 will be executed. The value of requested_amount should be changed to requested_amount - principal_value. If the value of requested_amount is not updated, the actual amount withdrawn will be greater than requested_amount.
deposit Does Not Update User's Share If He Deposits Multiple Times
Severity: High
Ecosystem: Sui
Protocol: Random-Vault
Auditor: MoveBit
Report: https://movebit.xyz/reports/Random-Vault-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
When a user deposits multiple times, the contract updates round.total_share but fails to update the individual user’s share, leading to incorrect share accounting and potential loss of rewards.
token.start_p is not updated
Severity: High
Ecosystem: Sui
Protocol: Bucket
Auditor: MoveBit
Report Date: June 2023
Description: After invoking claim_collateral, the start_p value remains unchanged. This can cause subsequent logic errors and inconsistencies in state-dependent calculations.
ReserveData not Updated
Severity: High
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description: In the execute_withdraw function, small remaining amounts after withdrawal are sent to the treasury, but the user’s asset data and reserve balance in ReserveData are not updated. This leads to calculation errors and data desynchronization across the protocol.
Position Rewarder Checkpoint is not updated when changing liquidity
Severity: High
Ecosystem: Sui
Protocol: Magma DEX
Auditor: Three Sigma
Report: https://cdn.sanity.io/files/qoqld077/staging/9566473c444a6cfd99c7a6556fa4857950b41de3.pdf
Report Date: July 2025
Description:
When adjusting liquidity (inc/dec), only the global fee growth is checkpointed. However, reward growth from the reward manager is initialized only once at position creation via position_info_load_rewarder_growth_from_bin and never updated afterward, causing incomplete reward accounting.
LP unstaking only burns the shares but leaves the underlying tokens in the system, which distorts the shares-to-tokens ratio and leads to incorrect amounts being calculated during staking and unstaking
Severity: High
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
When a user unstakes LP tokens, the corresponding shares (Cabal tokens) are burned. However, the actual undelegation from the validator will occur only after a delay of up to 3 days. During this period, the shares are already burned, but the underlying tokens are still included in shares-to-token conversions.