Medium Findings
Lack of Validation for Price Value in get_price function
Severity: Medium
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
Missing 0 check can lead to incorrect calculations and impact other functions.
Parameter Check for Creating Dutch
Severity: Medium
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: Apr 2023
Description:
Parameters like decay_speed should not be zero, and time-related values must be logically consistent (e.g., start_ms < end_time_ms and end_time_ms should be greater than the current time).
Can Create Pools With Same Type
Severity: Medium
Ecosystem: Sui
Protocol: MovEx
Auditor: MoveBit
Report Date: Apr 2023
Description:
create_pool function doesn't check if pool type was already created which will lead to duplicate pools. Depth of each pool is not large enough and will cause slippage.
Create Pools with same Coin Type
Severity: Medium
Ecosystem: Sui
Protocol: MovEx
Auditor: MoveBit
Report Date: Apr 2023
Description:
You can create a pool with two of the same token.
Multiple related functions do not limit the empty Vector
Severity: Medium
Ecosystem: Sui
Protocol: Sui AMM swap
Auditor: MoveBit
Report Date: Nov 2022
Description:
The functions multi_add_liquidity, multi_remove_liquidity, and multi_swap first use the pop_back function for coins_in and lp_coin in the code to pop up the last element of the vector, but this does not judge that the length of the vector is 0.
Lack of Input Validation
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: Jun 2023
Description:
reserve_ratio is not checked to ensure it is not greater than 100 when updating reserve_config.
The addition of reserve is missing validation
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: Jun 2023
Description:
add_reserve lacks input validation — should include an assertion to prevent adding the same coin to the reserve. The client acknowledged this but deemed it a non-issue.
Validation is Required Before Deleting reserve_addr
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: Jun 2023
Description:
Check if reserve_addr exists, then proceed with delete.
ID occupied causes program termination
Severity: Medium
Ecosystem: Sui
Protocol: Mango
Auditor: ExVul
Report Date: July 2025
Description:
The new_bridge_pair funciton in config.move does not strictly enforce the relationship between the provided id and the internal pair_id counter.
strategy_type missing check
Severity: Medium
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
add_collateral and work functions both use strategy_type parameter to execute different logic. However, add_collateral lacks a check of strategy_type.
current_time not checked
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
In get_ref_fee_rate, current_time does not check it is the current time.
Missing tick in range check
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
get_sqrt_price_at_tick function does not check if tick is in range, some ticks out of range pass.
Create pool with two same CoinTypes
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
A pool can be created between CoinA and CoinA, which is redundant.
Missing Check for Sequence Number
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
While there is validation for the blob ID, there is no validation for the ending checkpoint sequence number. As a result, the value provided by a quorum-reaching node gets recorded in the state. If an incorrect number is entered, it causes a mismatch between the event blob being processed by the node and the on-chain tracking.
Exceeding Object Size Limit
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
In staking_pool, if the StorageNodeInfo.{name,network_address} field is set to an excessively long value by the node owner, it may contribute significantly to the total size of the StakingPool object. This may restrict the addition of new values to pending_shares_withdraw, thereby blocking stakers from making withdrawals.
Missing Commission Rate Check
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
There is no check to ensure that the commission rate is less than or equal to 10000, an ENotEnough error may occur in staking_pool::advance_epoch when the node becomes part of the committee.
Duplicate Entries
Severity: Medium
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Description:
register_rider and register_driver allows the creation of multiple rider or driver objects with the same address, resulting in duplicate entries. Both register_rider and register_driver create a new rider or driver objects without checking whether an object with the same address already exists, resulting in multiple objects with the same address.
Signature Forgery
Severity: Medium
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Description:
In the context of the drife_app::request_ride, the signature includes a parameter city: String after the address to allow the user to set the city name. However, this string may become any value, even to the operation name. Attacker can forge signature by manipulating this field.
Missing TransactionPayload Type Validation
Severity: Medium
Ecosystem: Aptos
Protocol: MSafe
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
The TransactionPayload struct contains the payload and its type. Aptos supports payloads of type: • WriteSet • Scripts • ModuleBundle • EntryFunction
The payload in theTransactionPayloadstruct can be any transaction type, not justEntryFunction. This assumption should be validated. For example, many internal functions such as register payload validation assume the layout of the TransactionPayload is a EntryFunction.
Missing Chain ID Validation
Severity: Medium
Ecosystem: Aptos
Protocol: MSafe
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
Transactions can be replayed from one chain to another if this field isn’t properly validated. In the context of a multisig, the transaction can be added but will fail at execution. Nonetheless, this represents a potential UX risk and is worth remediating. Validate chain_id in the validate_txn_payload function.
Lack Of Check For Forbidden IDs
Severity: Medium
Ecosystem: Sui
Protocol: Maven
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2023
Description:
Update admin policy could be set to forbidden ID, ensure check beforehand.
Users may set a TTL value that does not follow the maximum TTL limit
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Labs Sui
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
Users may assign invalid TTL values to their domain names, enforce limit.