Medium Findings
Assets May be Locked in Proposals
Severity: Medium
Ecosystem: Sui
Protocol: Legend of Arcadia
Auditor: MoveBit
Report Date: Jun 2023
Description:
A proposal cannot be canceled until it reaches an approval or rejection threshold. Proposals can get stuck if MultiSignature participants are inactive and not voting, causing data or assets in the proposal to be locked.
Lack of Validation for Campaign Status in invest
Severity: Medium
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description:
No validation for closed campaigns — users can invest in campaigns that are already closed, leading to confusion or incorrect token distribution.
No Pool Status Check
Severity: Medium
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Mar 2023
Description:
No suspension checks — functions like repay_flash_swap, repay_flash_swap_with_partner, update_pool_url, and update_fee_rate can still modify pool data even when the pool is suspended.
Owner’s address is not updated
Severity: Medium
Ecosystem: Sui
Protocol: Mini Miners
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mini-Miners-Contract-Audit.pdf
Report Date: Apr 2023
Description:
info is a shared object, so ownership cannot be transferred through transfer, and after the change the ownership, the owner address in info is not updated, and the next assert will panic.
Reserve Interest Not Updated in Timely Manner
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: June 2023
Description:
Interest may become outdated for long-standing loans; recommend periodic updates to keep interest calculations synchronized.
Shared Global Vault Without Pool-Specific Balance Tracking Enables Cross-Pool Reward Drainage
Severity: Medium
Ecosystem: Sui
Protocol: Magma DEX
Auditor: Three Sigma
Report: https://cdn.sanity.io/files/qoqld077/staging/9566473c444a6cfd99c7a6556fa4857950b41de3.pdf
Report Date: July 2025
Description:
The ALMM protocol implements a reward system where all pools share a single RewarderGlobalVault instance, while each pool maintains its own RewarderManager for tracking reward emissions and growth. The critical flaw lies in the absence of pool-specific reward balance tracking within the global vault, allowing pools to withdraw rewards that were intended for other pools.
Epoch Mismatch in Storage Reclamation
Severity: Medium
Ecosystem: Sui
Protocol: Walrus
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
Epoch mismatch causes extend_blob to fail: decrease_storage_to_reclaim in storage_accounting attempts to reduce storage in the wrong epoch.
Risk of Compromising Snapshot Integrity
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Republic Security Token
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
total_supply compromised during join. join allows two different tokens to be merged into one, potentially altering the balances and total supply of tokens mid-snapshot. If tokens that are part of the snapshot join with those that are, total_supply will no longer be equal to unlocked_sum + locked_sum.
Health Check Performed On Outdated State
Severity: Medium
Ecosystem: Sui
Protocol: Navi
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
The is_health assert in execute_withdraw and execute_borrow in logic.move depends on the user’s collateral and loan balances. However, these balances are not updated with update_state during health validation, potentially causing inaccuracies. This issue is particularly impactful during the liquidation process, as outdated collateral asset states may lead to exclusion from liquidation.
Improper Stake Update
Severity: Medium
Ecosystem: Sui
Protocol: Bucket
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
In the handle_redeem function in bucket.move, when redeeming Bottles, the else case inside the while loop handles the last Bottle’s redemption. When the remaining redemption amount is less than the Bottle’s buck amount, the loop ends in the else case with a break and skips the call to bottle::update_stake_and_total_stake_by_debtor on the last Bottle. Needs bottle::update_stake_and_total_stake_by_debtor on break.
Restake Sui
Severity: Medium
Ecosystem: Sui
Protocol: Volo
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2023
Description:
A vulnerability arises when a user creates an UnstakeTicket for a large stake. This may prevent the user from burning the ticket and reclaiming the staked SUI during the current epoch.
Include Pending In Unstake
Severity: Medium
Ecosystem: Sui
Protocol: Volo
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2023
Description:
native_pool::burn_ticket_non_entry employs native_pool::unstake_amount_from_validators to collect SUI for returns to the user. However, it does not consider the coins held in NativePool::pending.
Missing Timestamp Update
Severity: Medium
Ecosystem: Aptos
Protocol: Aries Markets
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2024
Description:
When adding or removing rewards in the liquidity farming contract, the update_reward function is called to adjust the reward per share based on the elapsed time (time_diff). However, these functions currently do not update the farm.timestamp after invoking update_reward. Consequently, if subsequent reward distribution actions occur without updating the timestamp, the rewards for the same time period will be double-claimed.
Wallet Balance Misverification
Severity: Medium
Ecosystem: Aptos
Protocol: Aptos Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
ds_token::check_wallets_for_list checks the total token balance for an investor instead of the balance in each individual wallet. This implies that even if a wallet holds zero tokens, it will still be added tothe active wallet list if the investor’s total balance is non-zero. This discrepancy may allow an investor to create a large number of empty wallets that are added to the wallet tracking structures ( wallet_indexes and wallet_list ). Thus, an investor may create numerous dead wallets (wallets with a zero token balance), initiating a token transfer to each of these wallets with a value of zero.
Missing Bound Check on Lock Removal
Severity: Medium
Ecosystem: Aptos
Protocol: Aptos Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
When a lock is removed, it is not actually deleted from the SmartTable storing lock records. This renders the data accessible in the system even after it is supposedly removed. Since locks are not fully removed from the SmartTable , view functions may show locks that should have been deleted. Also, the lock_index is not validated to ensure it is within the bounds of the investor’s lock count. Thus, the lock_index values may be out of bounds, potentially attempting to delete nonexistent records. As a result, the same lock may be removed multiple times repeatedly, each time decreasing the lock count.
Failure to Clear Investor Attributes After Removal
Severity: Medium
Ecosystem: Aptos
Protocol: Aptos Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
In registry_service::remove_investor , when an investor is removed, only their main record in the investors table is deleted. Any associated data, such as compliance attributes, remains in the attributes table. If a new investor is later registered with the same ID as the removed investor, the system will inadvertently link the new investor to the old attributes, potentially allowing unintended access to privileges based on deleted investor’s attributes.
Failure to Convert to veTHL
Severity: Medium
Ecosystem: Aptos
Protocol: Thala LSD
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
When a user unlocks their veTHL via vetoken::unlock , the system resets the unlockable_epoch to zero. Additionally, if a user registers an account without locking veTHL , unlockable_epoch is also set to zero.