Medium Findings
Duplicate-order DoS via front-running deterministic order_id
Severity: Medium
Ecosystem: Sui
Protocol: Garden Move
Auditor: Zellic
Report Date: May 2025
Description:
order_id is publicly visible — initiate_on_behalf lets anyone set order_id without verifying initiator ownership, allowing attackers to replay the transaction (e.g., with amount = 1) to trigger a DuplicateOrder error for the legitimate request.
Front-Running Pair/Market Creation
Severity: Medium
Ecosystem: Aptos
Protocol: Echelon
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
create_pair_with_jump_model in isolated_lending is responsible for creating a new lending pair with a jump interest rate model. However, it is vulnerable to front-running. An attacker may observe a pending pair creation and preemptively register their Aptos account to the to-be-created pair’s address before the pair is fully initialized. Similarly, in lending_core , create_market_with_jump_model_v2 , the market creation may be front-run with a call to register the Aptos account at the address of the market that it is going to be created, resulting in a denial-of-service scenario.