Medium Findings
Dutch Gas Optimization
Severity: Medium
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: Apr 2023
Description:
Recommended to merge coins together, then transfer to fee_pool_address.
Gas Optimization
Severity: Medium
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Mar 2023
Description:
A while loop in position::is_empty can return false when the amount_owned of one of the vector elements is not 0. In addition, in the return value && expression, there is no check of position_info.points_owned==0. Suggestion: Return false when the amount_owned of one of the vector elements is not 0.
Momentum safe deployment is vulnerable to max_gas attacks
Severity: Medium
Ecosystem: Aptos
Protocol: Momentum Safe
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/MSafe%20-%20Zellic%20Audit%20Report.pdf
Report Date: Sep 2022
Description:
simple_map::borrow() uses a binary search algorithm that creates an opportunity for max_gas attacks.
Transactions can be blocked from max_gas attacks
Severity: Medium
Ecosystem: Aptos
Protocol: Momentum Safe
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/MSafe%20-%20Zellic%20Audit%20Report.pdf
Report Date: Sep 2022
Description:
Same underlying issue as above. An attacker could stuff the txn_book.pendings to the point where the compute costs of simple_map::borrow() exceed max_gas.
Distribution mechanism for liquidation rewards susceptible to max_gas
Severity: Medium
Ecosystem: Aptos
Protocol: Thala Labs Move Dollar
Auditor: Zellic
Report Date: Oct 2022
Description:
Attacker could flood StabilityPool.deposits iterable table with accounts with zero APD deposited. This could lead to max_gas and the inabilty for stability pool depositors to be rewarded for risks taken in supporting the stability pool.
Low collateral positions can lead to max_gas
Severity: Medium
Ecosystem: Aptos
Protocol: Thala Labs Move Dollar
Auditor: Zellic
Report Date: Oct 2022
Description:
An attacker could open many vaults with low collateral, setting the borrow amount to barely reach minimum collateralization rate. These positions would be placed near end of sorting vaults where collateral redemption begins and could lead to max_gas in vault::redeem_collateral, affecting the abiulity of users to exchange APD for collateral.
Accumulation of vaults can lead to max_gas via insertion algorithm
Severity: Medium
Ecosystem: Aptos
Protocol: Thala Labs Move Dollar
Auditor: Zellic
Report Date: Oct 2022
Description:
No controls to prevent 0 collateral vaults from being made nor to remove them. Attacker could flood system with zero-collateral vaults using vault::open_vault or this could naturally occur depending on number of users in protocol with zero-collateral vaults that are never removed.
Some assertions can be optimized
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
Many assertions are not placed at the beginning of functions. It is recommended so they can fail fast and save gas.
utils::str optimization
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
utils::str currently uses a pre-defined map to convert a u8 to a char and inserts char into the index 0 of the string, very inefficient.
Position recalculation optimization
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
In collect_fee and collect_rewarder functions in pool module, there are duplicated codes to get the pool and position. The reason is get_position_tick_range can not borrow the Pool resource after the pool variable keeps a mutable reference to the Pool resource. This is a limitation of Move language to ensure security. We can solve this by introducing a helper function which uses a &Pool parameter to get the position tick range.
Sequential Search Leads To Gas Griefing
Severity: Medium
Ecosystem: Aptos
Protocol: MSafe
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2033
Description:
When confirming a Momentum Safe registration, the address is removed from the pending vector of the owner’s OwnerMomentumSafes using a linear search. As anyone can register Momentum Safes for the owner, this causes the pending vector to grow. Note that an attacker can register a Momentum Safe in O(1) time, but all future operations will cost O(n) for the victim. This asymptotic difference makes it a viable gas-griefing attack vector.