Medium Findings
Inability to Initialize Objects
Severity: Medium
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Description:
Without the ability to properly initialize stops, users are limited in their ability to request rides with specific stop details. This, in turn, results in a compromise of the user experience and the system’s flexibility, as users may be unable to specify the stops they want when requesting a ride.
Incomplete Function About Protocol Fee
Severity: Medium
Ecosystem: Sui
Protocol: Haedel
Auditor: MoveBit
Report: https://movebit.xyz/reports/Haedal-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
Missing function for collecting protocol fees.
Lack of A Method to Add referrals in the Market
Severity: Medium
Ecosystem: Sui
Protocol: ABEx Labs
Auditor: MoveBit
Report: https://movebit.xyz/reports/Abex-Smart-Contract-Audit-Report.pdf
Report Date: Aug 2023
Description:
Can obtain rebates, but no way to add rebate users.
Unable to Remove Strategies
Severity: Medium
Ecosystem: Sui
Protocol: Kuna Labs Yield Optimizer Smart Contract
Auditor: MoveBit
Report: https://movebit.xyz/reports/Yield-Optimizer-Final-Audit-Report.pdf
Report Date: Nov 2023
Description:
remove_strategy function is not utilized in scallop_whusdce module, therefore strategies in the vault will not be removed.
Module Lacks Interface For Upgrades
Severity: Medium
Ecosystem: Sui
Protocol: Fluidity
Auditor: MoveBit
Report: https://movebit.xyz/reports/Fluidity-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
The module uses a third-party contractual interface and lacks an interface for upgrading, which may result in the module not being able to be modified when the third-party interface function changes.
Missing Function to Remove Users from Whitelist
Severity: Medium
Ecosystem: Sui
Protocol: Turbos Finance-TurboStar
Auditor: MoveBit
Report Date: May 2023
Description:
There is a function to add users, but not one to remove them.
Add an interface to modify the controller of the multi-signature account
Severity: Medium
Ecosystem: Sui
Protocol: Sui AMM Swap
Auditor: MoveBit
Report Date: Nov 2022
Description:
Missing interface to change the controller.
Removal of Accrual Functions Before Protocol Changes Leading to Interest Distortion
Severity: Medium
Ecosystem: Initia
Protocol: Echelon Market
Auditor: Quantstamp
Report Date: Mar 2025
Description:
The following functions used to accrue interest before changing protocol parameters. This ensure that up to the point of the changes all interest would be accumulated as per the previous configuration.
set_interest_fee_bps().set_pair_jump_interest_rate_model().
Removing the accrual functions would lead to distorted interests as pending interest accrual would assume the new values, which could lead to sudden unexpectedly high or low interest changes.
Missing Pause Control Functions in ALMM Pair Module Leads to Non-Functional Emergency Controls
Severity: Medium
Ecosystem: Sui
Protocol: MagmaDEX
Auditor: Three Sigma
Report: https://cdn.sanity.io/files/qoqld077/staging/9566473c444a6cfd99c7a6556fa4857950b41de3.pdf
Report Date: July 2025
Description:
The magma_almm::almm_pair module has a broken pause mechanism. The AlmmPair struct includes a pause field that's initialized to false during pair creation, and critical functions like collect_fees, stake_in_magma_distribution, and collect_reward, etc. check this state with assert!(!self.pause, ErrPaused). However, there are no functions to actually pause or unpause the pair.
Missing update_position_fees in burn function
Severity: Medium
Ecosystem: Sui
Protocol: MagmaDEX
Auditor: Three Sigma
Report: https://cdn.sanity.io/files/qoqld077/staging/9566473c444a6cfd99c7a6556fa4857950b41de3.pdf
Report Date: July 2025
Description:
When changing the position liquidity either by adding/removing tokens, we always call update_position_fees. this is to make sure the . Position took the fees it deserves for that period. before changing his tokens. The function update_position_fees is called for all functions that changes the liquidity of position, this includes burn_position, raise_position_by_amounts_internal, shrink_position. But for burn, which is used to make a partial burning of the position, this function is missing.
Tokens cannot be withdrawn from admin_controlled_ecosystem_reserve.move
Severity: Medium
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Periphery
Auditor: Spearbit
Report Date: June 2025
Description:
Fungible_assets is never written, so the function transfer_out() does nothing.
Incentives cannot be configured
Severity: Medium
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Periphery
Auditor: Spearbit
Report Date: June 2025
Description:
rewards_controller.move does not contain functions to create RewardsConfigInput, therefore emissions_manager::configure_assets() can’t be executed.
pausable and current_pause_start Parameters cannot be Modified
Severity: Medium
Ecosystem: Aptos
Protocol: StreamFlow
Auditor: MoveBit
Report: https://movebit.xyz/reports/StreamFlow2-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
In the create function we can initialize the pausable and current_pause_start parameters, but there is no specific implementation of the pause method in the contract.