Medium Findings
DoS Due to Surpassing of Event Limit
Severity: Medium
Ecosystem: Sui
Protocol: Aftermath
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2025
Description:
The max_num_event_emit sets a restriction on how many events may be emitted at a time. A vault owner may intentionally place multiple pending orders across various clearing houses, thereby accumulating a large number of events to be processed. If the number of events exceeds 1024, it will block the force withdrawal process.
Denial of Service via Mint Limit Exhaustion
Severity: Medium
Ecosystem: Sui
Protocol: Lombard
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
Swapping small amount of wrapped token for native multiple times can cause DOS.
DoS due to Excessive Gas Consumption
Severity: Medium
Ecosystem: Sui
Protocol: Lombard
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
Large number of small orders through max_computation_budget, blocks legitimate orders.
DoS due to Excessive Gas Consumption
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Deepbook
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Aug 2024
Description:
Large number of small orders through max_computation_budget, blocks legitimate orders.
The owner of kiosk may block the user’s funds by calling set_allow_extension
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Labs Sui
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
The current implementation may disallow the use of this function by calling set_allow_extensions with allow_extensions set to false. This may result in the locking of users’ funds that were transferred to the extension.
Denial Of Service & Inefficient Gas Model
Severity: Medium
Ecosystem: Sui
Protocol: Volo
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date:
Description:
native_pool can introduce a large number of validators with no upper limit causing other functions like sort to go through a large list of validators.
Unrestricted Validator Registration May Lead To DoS
Severity: Medium
Ecosystem: Aptos
Protocol: Ditto
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
Validators can join the Ditto protocol by invoking ditto_staking::add_validator. When the validator whitelist is disabled, there are no restrictions on validator entry. Each new validator occupies space in the ValidatorState table and ValidatorLockupBuffer stored on the @ditto_staking account. Many of the computations that interact with validator state run linear time algorithms over these structures and therefore require gas usage roughly linear to the number of validators. A malicious user could register a large number of fake validators in order to increase the usage of the associated validator tables and therefore increase the computation requirement on all subsequent instructions. In the worst case, a malicious user may be able to register enough validators to hit the computation limit and therefore prevent the protocol from operating entirely.
Potential DOS in delegation_service Pool
Severity: Medium
Ecosystem: Aptos
Protocol: Tortuga
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
In delegation_service, there is a hard limit on the number of direct delegators a pool can have: MAX_NUMBER_OF_DELEGATIONS (currently 100). A malicious user could fill the delegator list with fake delegators, staking small amounts in order to prevent real delegators from staking. In conjunction with OS-TOR-ADV-00, an attacker could bypass the min_delegation_amount and leave dust amounts in the pool, effectively making this attack free.
Lame Coin DOS
Severity: Medium
Ecosystem: Aptos
Protocol: Laminar Markets
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
In the stake::register_staking_account function, a duplicate call occurs when a new user tries to register a Lame coin. This would fail in the second register call (duplicated call), as the coin is already registered under the user in the first register call. This would cause a Denial of Service, as the new user will not be able to create a staking account.
Reverse Iterator DOS
Severity: Medium
Ecosystem: Aptos
Protocol: Laminar Markets
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
In the splay_tree::prev_node_idx function, the iterator traverses down to the left only when the left is not sentinel. In other cases, the check was made for the left node and matched against the right node. This will fail if the right node is a sentinel. The impact of having an improper iterator will make the order book inoperable; as these iterators are used across the order book to traverse and match the orders.
Remove Job DOS
Severity: Medium
Ecosystem: Aptos
Protocol: Switchboard
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Nov 2022
Description:
The function aggregator::remove_job skips the execution silently when the supplied job address doesn’t exist in aggregator_job_data. This should abort because when aggregator_remove_job_action::actuate calls this function and skips execution, the following call to decrement the job_ref_count will be reduced.The job_ref_count is used to keep track of number of references that a job has. So If a job gets added count increases and count decreases when removed. Abort if the supplied job doesn’t exist.
DOS While Removing Shares From Reserve
Severity: Medium
Ecosystem: Aptos
Protocol: Aries Markets
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Nov 2022
Description:
In profile.move, the try_subtract_profile_reward_share function checks whether the profile has a farm for that specific reserve type while subtracting shares from a profile farm. If a farm doesn’t exist, the reward for that reserve is created after the profile is created, so the function skips the subtraction of shares. This case is not handled while subtracting shares from the reserve farm in the reserve::try_remove_reserve_reward_share function. This leads to the subtraction of shares that were previously absent in the reserve.
Denial Of Service In Withdraw And Cancel
Severity: Medium
Ecosystem: Aptos
Protocol: Steamflow
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Mar 2023
Description:
In protocol, withdraw and cancel require transferring contract coins (X) to the recipient. If the recipient is not registered to the contract coin (X) and transfers are disabled, the amount becomes locked in the protocol. This may occur if the recipient’s address is lost or if the recipient’s address input is incorrect.
Denial Of Service While Vesting
Severity: Medium
Ecosystem: Aptos
Protocol: Thala
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
start_vesting in thl_vesting/farming_vesting.move initiates vesting when called by a user to begin vesting. It uses a smart table on vesting.claims to store the claims of the users. The length of the vesting.claims smart table is the claim ID for the current vesting. Claiming a claim removes the entry at the claim ID from the smart table, resulting in a decrease in the length of the smart table. Consequently, attempting to add a new claim causes a denial of service issue.
Potential Denial Of Service In Pool
Severity: Medium
Ecosystem: Aptos
Protocol: Tortuga
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
In delegation_service, there is a hard limit on the number of direct delegators a pool may have: MAX_NUMBER_OF_DELEGATIONS, which currently equals 100. A malicious user may fill the delegator list with fake delegators, staking small amounts to prevent real delegators from staking. In conjunction with OS-TOR-PRO-01, an attacker may bypass the min_delegation_amount and leave dust amounts in the pool, effectively making a free exploit.
DOS Due to Blocking of Primary Store Creation
Severity: Medium
Ecosystem: Aptos
Protocol: Echelon
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
The vulnerability relates to the creation of a primary fungible asset store in new_reward_fa in the lending core (shown below) and isolated core farming modules. new_reward_fa tries to create a primary store for the asset at the package address utilizing create_primary_store , which does not check if a store already exists at the address before creating a new one.
Thus, primary_fungible_store::create_primary_store aborts if a primary store already exists at the address. As anyone may create a primary store at any address since it is permissionless, it enables an attacker to create a primary store for an asset at the package address. This action will block any subsequent attempts to add that address as a farming reward in both lending_core and isolated_lending farms.
Risk of Self-Dos
Severity: Medium
Ecosystem: Sui
Protocol: Volo
Auditor: MoveBit
Report: https://movebit.xyz/reports/Volo-Smart-Contract-Audit-Report.pdf
Report Date: Sep 2023
Description:
In line 199 of the remove_stakes function, it is necessary to deal with the situation that staked_sui_mut_ref - requested_amount is less than 1 Sui , otherwise it will cause self-dos.
Option params in CLI
Severity: Medium
Ecosystem: Sui
Protocol: Legend of Arcadia
Auditor: MoveBit
Report Date: Jun 2023
Description:
burn_request and update_metadata_request have Option type parameters. If these parameters cannot be passed in CLI, users cannot call functions, causing DOS on these functions.
DoS on Failed Transfer Operations on the Same Object
Severity: Medium
Ecosystem: Sui
Protocol: MSafe Maven
Auditor: MoveBit
Report Date: Apr 2023
Description:
Multiple transfer requests cause DoS as first transfer succeeds, other requests fail when execute_object_operation is called.
DoS from Privileged User where Permission has Single Signer Settings
Severity: Medium
Ecosystem: Sui
Protocol: MSafe Maven
Auditor: MoveBit
Report Date: Apr 2023
Description:
If proposer and approver are in same roles, the role only has one signer with the authority to vote on the propsal. This will cause execution queue to be blocked resulting in a DoS.
claim Function May Cause DOS Problems
Severity: Medium
Ecosystem: Aptos
Protocol: MoveGPT
Auditor: MoveBit
Report: https://movebit.xyz/reports/MoveGPT-Final-Audit-Report.pdf
Report Date: Apr 2024
Description:
In the claim function, when lock_amount is equal to round_config.balances, it will extract all the coins in round_config.balances , but by calculating the lock_amount may be less than round_config.balances, then the function will always fail when reaching the else branch to extract the lock_amount from balances.
Reentrancy Check in lock_staking::reentry_check Causes Concurrent INIT Deposit Failures (DOS)
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
The liquid staking protocol’s deposit_init_for_xinit function, which allows users to deposit INIT tokens to receive xINIT, is vulnerable to transaction failures when multiple users deposit concurrently in the same block. The function withdraws INIT tokens and delegates them to a validator via pool_router::add_stake, which triggers lock_staking::delegate. This, in turn, invokes reentry_check to prevent multiple delegations in the same block.
If a second user attempts to deposit in the same block as another, their transaction fails with error code 196618 (EREENTER), as reentry_check detects that the StakingAccount was already modified in the current block. This vulnerability disrupts users’ ability to participate in the protocol, particularly during periods of high transaction activity.
Unstaking calculates user share at request time, ignoring slashing — leading to DoS and unfair distribution
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
Users can stake both INIT and LP tokens into different validator pools by calling functions like deposit_init_for_xinit or stake_asset. To exit, users initiate an unstake via initiate_unstake, which starts an unbonding period. After this delay, they can claim their tokens through claim_unbonded_assets.
Behind the scenes, these staked assets are delegated to validators, and slashing may occur—meaning a portion of the delegated tokens could be penalized (burned). To stay accurate, the protocol uses pool_router::get_real_total_stakes to track the current delegated amount. However, the current unstaking flow doesn’t properly account for slashing events that may occur during the unbonding period.
DoS due Unbounded Rewards Map
Severity: Medium
Ecosystem: Aptos
Protocol: AAVE v3.1-3.3 Core
Auditor: OtterSec
Report Date: Aug 2025
Description:
The rewards_controller logic utilizes a SimpleMap to store users_data for each reward distribution. SimpleMap is implemented as a vector of key-value pairs, which implies that every insertion or lookup requires linear-time scanning of the vector. As this structure grows, its performance degrades, and operations that iterate over it may run out of gas. Specifically, in this case, every user is expected to maintain an entry in the map. As a result, the map is expected to grow indefinitely.
Since this is permissionless, a malicious actor may create many such entries by interacting with the pool repeatedly. Consequently, if the vector grows excessively, handle_action may start failing due to out-of-gas issues, as gas utilization for common operations such as mint, burn, supply, or liquidate may exceed the transaction limit, resulting in a denial-of-service scenario.