Critical Findings
Arbitrary Lock Duration
Severity: Critical
Ecosystem: OL Network
Protocol: StakeWallet 2.0 by StakeSphere
Auditor: MoveJay
Report: https://github.com/Jayfromthe13th/OL-Audit/blob/Wallet/audit.md
Report Date: Apr 2024
Description:
The Lockbox module in the Slow Wallet v2.0 implementation allows users to lock assets for a specified period. However, a vulnerability exists where the DEFAULT LOCK DURATION constant is not enforced, allowing users to create lockboxes with arbitrary durations.
Improper Mint Limit Reset
Severity: Critical
Ecosystem: Sui
Protocol: Lombard Finance
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2024
Description:
The minting function incorrectly resets the remaining mint limit (left) during a new epoch, as it assigns the limit value directly instead of referencing it with *limit.
Outdated Variable VaultsValuation
Severity: Critical
Ecosystem: Sui
Protocol: ABEx Labs
Auditor: MoveBit
Report: https://movebit.xyz/reports/Abex-Smart-Contract-Audit-Report.pdf
Report Date: Aug 2023
Description:
When two VaultsValuation instances are created in a single transaction, only the first is updated during valuate_vault, leaving the second outdated. This allows a user to deposit again using stale valuation data, receiving excess LP tokens and potentially depleting protocol assets.
Lack of State Changes During Function Execution
Severity: Critical
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description:
The claim_refund function fails to update related state variables or mark the InvestCertificate as claimed, allowing users to reuse the same certificate multiple times to claim additional refunds.
Failure in Updating State Post Withdrawal
Severity: Critical
Ecosystem: Aptos
Protocol: Aries Markets
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2024
Description:
The withdraw_reserve_amount function in reserve_details is responsible for handling the withdrawal of a specified amount of reserve currency from the reserve. However, after completing the withdrawal, it fails to update the total_cash_available value stored in the ReserveDetails structure.
Insufficient Tracking of Flashloan Parameters
Severity: Critical
Ecosystem: Aptos
Protocol: ThalaSwapV2
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Aug 2024
Description:
In pool, the Flashloan structure contains a vector of unsigned 64-bit integers (u64) to represent the amounts of assets borrowed during the flash loan operation. However, the structure does not include any information about which specific assets were borrowed or from which pool the assets were borrowed. When a user initiates a flash loan, they borrow a specific amount of a particular asset from a liquidity pool. In a well-designed flash loan mechanism, the receipt of the flash loan should accurately record both the amount and the type of borrowed asset.
Absence of State Variable Update on Wallet Removal
Severity: Critical
Ecosystem: Aptos
Protocol: Aptos Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
In registry_service::remove_wallet , the failure to remove wallet_addr from the investor.wallets structure introduces a significant vulnerability. This results in inaccurate calculations in investor_wallet_balance_total , which, in turn, impacts various other functions in the project that depend on accurate wallet balances.