Critical Findings
Tolerance Check Bypass on Forced Withdrawal
Severity: Critical
Ecosystem: Sui
Protocol: Aftermath Market Making
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2025
Description: A malicious user may intentionally set min_expected_balance_out to an unrealistically high value that the vault cannot satisfy, effectively locking the withdrawal session. The user can then trigger a forced withdrawal, bypassing default constraints on withdrawal processing and resulting in vault losses. This feature also triggers market orders on all positions.
Absence of Generics Checking
Severity: Critical
Ecosystem: Binance Smart Chain
Protocol: AquaSwap
Auditor: MoveJay
Report: https://github.com/Jayfromthe13th/AuquaSwap-Audit-/blob/Wallet/Audit%20report.md
Report Date: July 2024
Description: The revoke_trade<BaseTokenType> function does not assert that the inputted generic type matches the base_type TypeInfo stored on the Trade resource. An attacker could drain liquidity from the AMM by placing a limit trade order, canceling it, and passing an incorrect token type.
Signature Length Validation
Severity: Critical
Ecosystem: Sui
Protocol: Bluefin
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2024
Description: Extra bytes in signature_bytes can alter the computed hash, leading to incorrect digest values and potentially causing incorrect validation if rewards have been previously claimed.
Missing UID Validation
Severity: Critical
Ecosystem: Sui
Protocol: Bluefin
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2024
Description: Missing validation of UIDs allows attackers to use invalid or forged BankV2 objects, potentially minting shares at lower price, resulting in a loss of funds.
Loss of Coin
Severity: Critical
Ecosystem: Sui
Protocol: Cetus
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2024
Description: The limit_order::repay_flash_loan function lacks a check to verify that the order_id in the receipt matches the ID of the limit order. An attacker can manipulate the order_id, resulting in loss of coins.
Loss Of Funds In Lending
Severity: Critical
Ecosystem: Sui
Protocol: Navi
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description: All functions in lending.move lack validation on the Coin Type, allowing attackers to use incorrect coin types and causing loss of funds through incorrect asset calculations.
Bid with Zero Input Causing DOS
Severity: Critical
Ecosystem: Sui
Protocol: MoviePass Exchange
Auditor: Cetora
Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/03_02_2025_MoviePass_MSX-MR.pdf
Report Date: Feb 2025
Description: A bid with a 0-value input can cause the entire dispersal phase to fail if the split(0) operation reverts. A single 0-value bid entering the disperse function can cause a denial-of-service by failing all subsequent withdrawals.
Missing Asset-Type Validation in repay_add_liquidity Allows Wrong Token Repayment
Severity: Critical
Ecosystem: Sui
Protocol: Dexlyn
Auditor: HackenProof
Report: https://hackenproof.com/audit-programs/dexlyn-smart-contract-audit-contest?tab=reports
Report Date: Sep 2025
Description: The repay_add_liquidity function accepts repayment with arbitrary fungible assets without verifying they are the pool's configured tokens. This allows attackers to provide wrong tokens and still satisfy liquidity repayment, corrupting pool reserves.
repay_flash_swap accepts arbitrary token types, enabling theft of pool assets
Severity: Critical
Ecosystem: Sui
Protocol: Dexlyn
Auditor: HackenProof
Report: https://hackenproof.com/audit-programs/dexlyn-smart-contract-audit-contest?tab=reports
Report Date: Sep 2025
Description: The repay_flash_swap function lacks token type validation, allowing the pool to accept repayment with arbitrary token types and enabling theft of real assets from the pool.
Unchecked reward asset during reward claim allows withdrawing the wrong token from pool reserves
Severity: Critical
Ecosystem: Sui
Protocol: Dexlyn
Auditor: HackenProof
Report: https://hackenproof.com/audit-programs/dexlyn-smart-contract-audit-contest?tab=reports
Report Date: Sep 2025
Description: The reward-claim function trusts a user-supplied asset_addr when transferring owed rewards instead of enforcing the configured rewarder asset for the given rewarder_index. An LP with accrued rewards can claim in asset A or B (or any fungible asset the pool holds), draining pool reserves by up to the owed amount per claim.
Lack of Validation for target_amount and tokens_to_sell in create_campaign
Severity: Critical
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description: Missing validation for target_amount and tokens_to_sell can lead to 0 values due to precision issues, causing failure to claim tokens or locking assets indefinitely.
Function can't be called
Severity: Critical
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description: The claim_refund function cannot be called because the parameter Vault<TI, TR> cannot be passed, preventing users from retrieving their tokens.
Function Parameter Error
Severity: Critical
Ecosystem: Sui
Protocol: Cetus Concentrated
Auditor: MoveBit
Report Date: Mar 2023
Description: The cross_by_swap function parameters are entered in the wrong order, causing the swap result to be calculated incorrectly due to the coding error.
Missing Type Check While Placing Order
Severity: Critical
Ecosystem: Aptos
Protocol: Econia
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2022
Description:
In the functions market::place_market_order and market::place_limit_order(), when placing an order, there is no type verification against the original market types. Usually, the market should only allow orders of the same type, but this check was not enforced while placing an order. This would allow attackers to use incorrect coin types against the market, transferring coins of an incorrect type.