High Findings
Inability to End an Epoch
Severity: High
Ecosystem: Sui
Protocol: Sui Bridge
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2024
Description:
The register function allows a validator to register with a used public key (bridge_pubkey_bytes). When try_create_next_committee is called at the end of epoch, the function creates a new committee based on the registrations stored in member_registrations. When attempting to insert the members into the new_members mapping utilizing vec_map::insert, the insertion will fail if the public key already exists in the mapping. This prevents the system from creating a new committee even if enough stake is available. As a result, the committee is not updated properly, and an end of epoch would fail to attempt to create the committee.
Incorrect Flow Tracking
Severity: High
Ecosystem: Sui
Protocol: Sui Axelar(Gateway V2)
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2024
Description:
In the current implementation, the function utilizes self.flow_limit.add_flow_out(sui_amount, clock) to record the amount of tokens given out. This is inappropriate when the system is receiving tokens through an interchain transfer. Utilizing add_flow_out during a reception scenario inaccurately reflects the state of token flow. Instead of tracking tokens that are leaving the system, it should track tokens coming in.
Users Unable To Claim Surplus
Severity: High
Ecosystem: Sui
Protocol: Bucket
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
When the debt amount (repay_amount) is greater than or equal to the Bottle debt, after calculating the collateral amount to return, the bottle.collateral_amount subtracts from it and returns true.That signifies the clearing of all debt. Now, the Bottle is destroyable. However, simply destroying the Bottle deletes it from the Bottle table, which results in the user being unable to claim their surplus collateral amount from the Bottle.
Absence of Functionality
Severity: High
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Description:
The update_driver_state function fails to set on_ride to false after a successful ride completion. Additionally, a driver can complete a ride even when on_ride is already false, causing inconsistent state tracking and availability errors.
Multiple Active Rides
Severity: High
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report: https://www.notion.so/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Description:
A malicious user may call request_ride multiple times to accept multiple rides at once, resulting in situations where a single rider is associated with multiple active rides, disrupting the normal functioning of the ride-sharing service.
Missing State Validation
Severity: High
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description:
Storage data can be modified in many public functions even when admin has suspended transactions.
Liquidation Remarking
Severity: High
Ecosystem: Aptos
Protocol: Argo
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
Argo uses a descending auction system to process liquidations. When a vault is undercollateralized and eligible for liquidation, it becomes ”marked” and the descending auction begins. Unfortunately, this function does not ensure that the vault was not previously marked. As a result, a user attempting to prevent the liquidation of their vault can repeatedly mark their own vault to reset the descending auction.
Missing Snapshot Mechanism In Staking Module
Severity: High
Ecosystem: Aptos
Protocol: Merkle Token
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: July 2024
Description:
In staking, where voting power is derived from locked tokens, the absence of a snapshot mechanism to record past voting powers may result in critical issues affecting the integrity of voting processes. When a user unlocks their tokens via unlock , their voting power is effectively removed. Without a snapshot mechanism to preserve historical voting power, this removal retroactively impacts past voting records, invalidating previous votes or governance actions that depended on the user’s voting power.
Artificial Reduction of Investor Counts
Severity: High
Ecosystem: Aptos
Protocol: Aptos Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
There is an inconsistency in the way the system allows users to create zero-value fungible assets (FA) through fungible_asset::zero and deposit them via dispatchable_fungible_asset::deposit. A user with a zero FA balance may withdraw a zero-value FA and then deposit it, setting WithdrawCount.amount to zero.
Discrepancies in Updating Investor Count
Severity: High
Ecosystem: Aptos
Protocol: Aptos Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
In the existing implementation of compliance_service::record_burn (shown below), the function checks if the investor’s balance equals the value to be burned ( balance_who == (value as u64) ). However, it does not explicitly check if value is greater than zero before making this comparison or before adjusting the investor count. If value is zero, the condition will still evaluate to true, which will decrease the total investor count incorrectly, even though the investor was already inactive (with a zero balance) and should not have been counted.
Failure to Distribute Staking Rewards
Severity: High
Ecosystem: Aptos
Protocol: Kofi Finance Contacts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2025
Description:
rewards_manager::update_rewards handles staking reward calculations and distributions during epoch changes. A manager fee is deducted, and the remaining APT rewards are minted as kAPT and deposited into the vault via the minting_manager::mint_to_vault function. However, while kAPT coins are successfully minted, the virtual_balance , which tracks deposited kAPT and determines the exchange rate, is not updated. This oversight permanently locks staking rewards, preventing distribution to stakers
Address mismatch in configuration data storage & retrieval#19
Severity: High
Ecosystem: Aptos
Protocol: AAVE V3
Auditor: Cantina Contest SRs
Report: https://cantina.xyz/code/ad445d42-9d39-4bcf-becb-0c6c8689b767/findings/19
Report Date: May 2025
Description:
The AAVE protocol has a fundamental address mismatch where configuration data is stored at one blockchain address (@aave_data) but all retrieval functions attempt to read from a completely different address (@aave_pool). This is equivalent to storing your house keys in one safe but always looking for them in a different safe.
Missing max_id in update in batch_add_addr
Severity: High
Ecosystem: Aptos
Protocol: MoveDID
Auditor: MoveBit
Report Date: Nov 2022
Description:
add_addr modifies max_id when adding the address, but batch_add_addr does not.