High Findings

NFT Token ID contains forbidden character by design which prevents any domain from being issued at all

Severity: High

Ecosystem: Initia

Protocol: Initia Move

Auditor: Code4Arena Contest Security Researchers

Report: https://code4rena.com/reports/2025-01-initia-move

Report Date: Apr 2025

Description:

The usernames module allows for registering a domain. This happens in function register_domain. On registration, a NFT is minted to the buyer, with field Token ID in format domain:timestamp. However the : character is forbidden by underlying nft.move module which is also the reason why original unit tests fail. Due to this, the protocol cannot be used in its current state, because no NFTs can be currently minted, thus, no domains can be claimed. Hence, this is equivalent to a permanent DoS.

Excessive rewards allocations leads to DoS

Severity: High

Ecosystem: Aptos

Protocol: PancakeSwap

Auditor: Zellic

Report: https://github.com/Zellic/publications/blob/master/PancakeSwap%20Aptos%20-%20Zellic%20Audit%20Report.pdf

Report Date: Nov 2022

Description:

Certain conditions may lead users having to save funds by calling emergnecy_withdraw, forfeiting their rewards.

Move Vulnerability Database

High Findings

NFT Token ID contains forbidden character by design which prevents any domain from being issued at all

Excessive rewards allocations leads to DoS