High Findings

Oracle Lacks Update Cycle Verification

Severity: High

Ecosystem: Sui

Protocol: Navi

Auditor: MoveBit

Report: Navi Smart Contract Audit Report (MoveBit)

Report Date: July 2023

Description:

The oracle mechanism lacks verification of the update cycle. Specifically, there is no maximum interval period enforced when obtaining prices, allowing outdated price data to persist in the system. This can result in stale price feeds and inaccurate valuations.

Recommendation:

Implement a maximum time interval check for oracle updates and require regular price refreshes to ensure price data remains current.

Oracle Confidence Checks

Severity: High

Ecosystem: OL Network

Protocol: StakeSphere

Auditor: MoveJay

Report: https://github.com/Jayfromthe13th/StakeSphere-stealth-/blob/Wallet/Audit.md

Report Date: Feb 2025

Description:

High oracle confidence values suggest that there is disagreement among providers about the actual price. For instance, Pyth measures confidence as the difference between the 25th and 75th quartiles and the median price.

Recommendation:

Check the confidence of oracles.

Potential risk of manipulation of hyperion llp positions

Severity: High

Ecosystem: Aptos

Protocol: Yeap Finance

Auditor: SlowMist

Report: https://github.com/slowmist/Knowledge-Base/blob/master/open-report-V2/smart-contract/aptos-smart-contract/yeap-finance%20-%20SlowMist%20Audit%20Report.pdf

Report Date: July 2025

Description:

In the health_check module, get_amount_by_liquidity must use the pool’s real-time price; otherwise, attackers can manipulate token amounts by performing large swaps within the same transaction.

Domain pricing relies on pool price, which can be manipulated

Severity: High

Ecosystem: Initia

Protocol: Initia Move

Auditor: Code4Arena Contest SRs

Report: https://code4rena.com/reports/2025-01-initia-move

Report Date: Apr 2025

Description:

Payment for domains (registration, extensions) relies on direct spot price from the Dex module which is directly related to pool reserves. This can be manipulated with a flash loan or a large amount deposit, resulting in: buying a domain in a lower price making other users overpay for their domains. Calculating the price based directly on a liquidity pool reserves is a well known insecure pattern.