Medium Findings
Third-party Dependency
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: June 2023
Description:
PriceOracle for example is third-party risk.
Missing Validation While Updating Oracle Price
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: June 2023
Description:
Lacks a check to prevent prices from being set to zero; should include an assertion enforcing price > 0.
Potential flaws in pyth price acquisition
Severity: Medium
Ecosystem: Aptos
Protocol: Yeap Finance
Auditor: SlowMist
Report Date: July 2025
Description:
Pyth is a “pull oracle.” This means if no user actively pulls and updates the price on-chain, the on-chain oracle might remain updated for extended periods, rendering the protocol’s Pyth price source unavailable.
Unconditional timestamp update in update_references allows volatility fee manipulation
Severity: Medium
Ecosystem: Sui
Protocol: Magma DEX
Auditor: Three Sigma
Report: https://cdn.sanity.io/files/qoqld077/staging/9566473c444a6cfd99c7a6556fa4857950b41de3.pdf
Report Date: July 2025
Description:
The almm_pair::update_references function is responsible for managing volatility-based fee parameters in the ALMM protocol. This function updates the volatility reference and index reference based on time elapsed since the last update, which directly affects the variable fee calculation used in swaps. The function contains a critical flaw where the time_of_last_update is unconditionally updated regardless of whether the volatility parameters are actually processed. This allows attackers to manipulate the fee mechanism by preventing the volatility reference from decaying naturally.
Failure to Check for Stale Price Oracle
Severity: Medium
Ecosystem: Aptos
Protocol: AAVE v3.1-3.3 Core
Auditor: OtterSec
Report Date: Aug 2025
Description:
get_asset_price_internal does not validate for freshness of the data while retrieving prices from feeds.
Missing check stale price from Chainlink
Severity: Medium
Ecosystem: Aptos
Protocol: AAVE V3
Auditor: Cantina Contest SRs
Report: https://cantina.xyz/code/ad445d42-9d39-4bcf-becb-0c6c8689b767/findings/237
Report Date: June 2025
Description:
In AAVE's oracle module, we will try to fetch underlying asset's price from Oracle feed if there is not one custom price.
We will fetch the price via the interface chainlink::get_benchmark_value(benchmark) from the benchmark. According to Chainlink Aptos Doc, when we fetch the price from benchmark, we can fetch the price and the related timestamp from the benchmark.
The problem here is that we miss fetching the timestamp from the benchmark, and we don't check whether the price from Chainlink is staleness or not. If there is something wrong in Chainlink, the price don't update for a while, we may fetch stale price, this will cause we borrow/liquidate with one incorrect underlying price.
Missing oracle stale price check
Severity: Medium
Ecosystem: Aptos
Protocol: Thala Labs Aptos Dollar
Auditor: Zellic
Report Date: Feb 2023
Description:
The oracle lacks timestamps and stale-price checks. The project has switched to a tiered oracle framework, which requires a separate review.
Missing Check for Negative in get_switchboard_price() Function
Severity: Medium
Ecosystem: Aptos
Protocol: Merkle Trade Smart Contract
Auditor: MoveBit
Report: https://movebit.xyz/reports/Merkle-Trade-Smart-Contract-Audit-Report.pdf
Report Date: July 2023
Description:
The function get_switchboard_price() is used to retrieve the price and round confirmed timestamp from Switchboard. it is advised to include a check to ensure the negative is not true. If the negative value is true, it implies that there might be some problem with the price received from Oracle, potentially because the price is expired or has some error leading to potential issues.
Oracle max_deviation cannot be updated
Severity: Medium
Ecosystem: Aptos
Protocol: Aries Market
Auditor: MoveBit
Report Date: Feb 2023
Description:
Oracle max_deviation cannot be updated in set_pyth_oracle and set_switchboard_oracle, the only way to change it is to unset the oracle and set it again.
Oracle Confidence Checks
Severity: Medium
Ecosystem: Aptos
Protocol: Argo
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
High oracle confidence values indicate that providers disagree on the actual price. Pyth, for example, represents confidence as the difference between the 25/75th quartile and the median price. In this case, it’s safer to ignore the value than to use a potentially inaccurate value.
Risk of Borrowing Undervalued Collateral
Severity: Medium
Ecosystem: Aptos
Protocol: Echelon Staked LPT
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
In the current implementation, the staked LPT oracle may undervalue liquidity provider tokens. While this does not impact their utilization as collateral—effectively acting as a reduced collateral factor—it is critical to prevent borrowing of these undervalued assets. An undervalued oracle price only limits borrowing power, which is acceptable as long as borrowing is not permitted against such assets.