Medium Findings
Attacker Can Desynchronize Supply Snapshot During Same-Block Unstake, Reducing Everyone’s Rewards
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
An attacker holding Cabal LSTs (like sxINIT) can monitor the mempool for the manager’s voting_reward::snapshot() transaction. By submitting his own cabal::initiate_unstake transaction to execute in the same block (H) as the manager’s snapshot, the attacker can use two flaws: cabal_token::burn (called by their unstake) doesn’t update the supply snapshot for block H, leaving the recorded supply artificially high (pre-burn). cabal_token::check_snapshot skips recording the attacker’s own balance for block H. Later reward calculations use the stale high supply but retrieve the attacker’s now lower (post-burn) balance via fallback logic. This desynchronization causes the total calculated reward shares to be less than 100%, reducing the rewards paid out to all users for that cycle.
LP Redelegation Uses Inaccurate Internal Tracker Amount, Leading to Potential Failures or Orphaned Funds
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
The redelegate_lp function, called during validator changes for LP pools, uses the internal pool.amount tracker to specify the amount for MsgBeginRedelegate. This tracker can diverge from the actual staked amount due to unreflected rewards or slashing, potentially causing redelegation failures or leaving funds staked with the old validator.
Desynchronization of Cabal’s internal accounting with actual staked INIT amounts leads to over-minting of sxINIT tokens
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
The Cabal Protocol’s implementation of compound_xinit_pool_rewards fails to synchronize the protocol’s internal accounting (m_store.staked_amounts) with the actual amount of INIT tokens staked in the underlying Initia staking system. This creates a vulnerability where external events like slashing penalties or validator-initiated actions that reduce the staked amount are not reflected in Cabal’s internal state.
Loss of funds due to address mappings are not cleaned up after domain expiry
Severity: Medium
Ecosystem: Initia
Protocol: Initia Move
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-01-initia-move
Report Date: Apr 2025
Description:
The register_domain function doesn’t properly clean up old mappings (name_to_addr and addr_to_name) when a new user registers an expired domain. While it removes the old name_to_token mapping, it leaves the previous user’s address mappings.
Update magnified_dividends_per_share Values When staked_tokens Reaches Zero
Severity: Medium
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
When pool_info.staked_tokens reaches zero,the protocol fails to update pool_info.magnified_dividends_per_share_x and pool_info.magnified_dividends_per_share_y . This inconsistency results in a mismatch between the current state of pool_info and its initialized state.
Incorrect metadata used for deposit_stkapt function
Severity: Medium
Ecosystem: Aptos
Protocol: KoFi Finance
Auditor: MoveJay
Report: https://github.com/KofiFinance/audits/blob/main/Kofi%20Finance%20-%20Zenith%20Audit%20Report.pdf
Report Date: Mar 2025
Description:
In the deposit_stkapt function, the code incorrectly uses kAPT_coin::metadata() instead of stkAPT_coin::metadata() when creating/accessing the fungible store for stkAPT tokens. This mismatch between token type and metadata will cause deposits to fail. The function is supposed to deposit stkAPT tokens but is using kAPT metadata to identify the store.