Low Findings
execute_config_tx_internal should be public(package)
Severity: Low
Ecosystem: Sui
Protocol: Aeon
Auditor: Asymptotic
Report: https://info.asymptotic.tech/aeon-audit-report#262c1aef2c7042b7816a0015ed4a0051
Report Date: Feb 2025
Description:
execute_config_tx_internal should be public(package).
A transaction cancelation can be proposed without having an approve cap
Severity: Low
Ecosystem: Sui
Protocol: Aeon
Auditor: Asymptotic
Report: https://info.asymptotic.tech/aeon-audit-report#262c1aef2c7042b7816a0015ed4a0051
Report Date: Feb 2025
Description:
request_cancel_mpc_transaction, the comment seems to indicate that false should be true.
Anyone can create more vaults
Severity: Low
Ecosystem: Sui
Protocol: Bluefin RFQ
Auditor: Asymptotic
Report: https://bluefin.io/blog/doc/bluefin_rfq_audit.pdf
Report Date: Feb 2025
Description:
create_rfq_vault is public and does not take an admin cap, allowing anyone to create Vaults.
This is also contrary to the doc of the function: “cap: Immutable reference to admin cap to ensure the caller is the Admin of the protocol/”
Race Condition in Full Sail Distribution Initialization
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The init_fullsail_distribution_gauge function allows any user with a GaugeCap to set a pool's fullsail_distribution_gauger_id with their own gauge ID. While the function verifies that the pool ID matches the intended target, it fails to implement proper access control for the initialization action itself.
Since the number of GaugeCap is not limited and can be created by anyone holding a CreateCap, this introduces a race condition: the first GaugeCap owner who calls this function will gain privileged functionality over Full Sail distribution for that pool.
Unrestricted Access to Partner Fee Reception
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The receive_ref_fee function in the partner module is declared as public, allowing any user to add arbitrary coins to partner fee balances and trigger corresponding events. Malicious actors can manipulate partner accounting by emitting false events, compromising the reliability of the protocol's fee tracking system.
Unprotected Public Function Has Mutable Access to Shared State
Severity: Low
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: MoveBit
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Sep 2025
Description:
The public function is_allowed_coin accepts a mutable reference ( &mut GlobalConfig ) to the shared object GlobalConfig . Although the current implementation is read-only, its function signature is misleading and violates the principle of least privilege.
Users may arbitrarily decrease the remaining mixes of their SuiFrens
Severity: Low
Ecosystem: Sui
Protocol: MystenLabs Sui
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description: Users may arbitrarily call decrease_remaining_mixes_by_one. Users may supply their SuiFrens and reduce the remaining mix in the object without minting a new SuiFrens. This function also does not check if the remaining_mix is set to None(), aborting the application.
Unrevokeable Minter Capability
Severity: Low
Ecosystem: Sui
Protocol: Ghost Ivy
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description: The Havencompass admin issues MintCaps to minters to allow minting of new GameKeys.
public fun issue_mint_cap(_cap: &mut AdminCap, ctx: &mut TxContext): MintCap {
let mint_cap = MintCap {
id: object::new(ctx)
};
mint_cap
Issued MintCaps may only be burnt with the full cooperation of MintCap owners.
public fun burn_mintcap(mint_cap: MintCap) {
let MintCap { id } = mint_cap;
object::delete(id)
Thus, if a minter turns malicious due to cases such as wallet compromise, then admins would be unable to perform damage control by revoking mint permissions.
Visibility of burn And claim_specified_amount May Change To Private
Severity: Low
Ecosystem: Sui
Protocol: Aftermath Finance Liquid Staking Derivative
Auditor: MoveBit
Report: https://movebit.xyz/reports/Aftermath-Finance-Liquid-Staking-Derivative-Audit-Report.pdf
Report Date: Nov 2023
Description:
In receipt.move both burn and claim_specified_amount function are declared as public friend function, however, neither lsd::staked_sui_vault_state nor lsd::staked_sui_vault call any of them directly.
Unnecessary friend Privileges
Severity: Low
Ecosystem: Sui
Protocol: Dola Protocol
Auditor: MoveBit
Report: https://movebit.xyz/reports/Dola-Protocol-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
Some functions in the boots.move module have unnecessary friend privileges, such as withdraw_boost_coin , mint_boost_coin , burn_boost_coin , etc., which are only used in this module, but are still given friend privileges, so it's recommended to remove them.
Missing entry in mint_entry and redeem_entry Functions
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
The functions mint_entry and redeem_entry are missing the entry keyword in their declarations. In the Move language, the entry keyword is used to define a function that can be called from outside of the module.
borrow_proposal_request Missing Permission Control
Severity: Low
Ecosystem: Sui
Protocol: Legend of Arcadia
Auditor: MoveBit
Report Date: June 2023
Description:
borrow_proposal_request does not add any permission restrictions, but the corresponding permission checks are done in the is_proposal_rejected and is_proposal_approved functions.
Incorrect Function Call Permissions
Severity: Low
Ecosystem: Sui
Protocol: Aries Market (Sui)
Auditor: MoveBit
Report Date: June 2023
Description:
The function market::new() is only called in market.move, yet its visibility is public (friend).
Optimization of Function Visibility
Severity: Low
Ecosystem: Sui
Protocol: Aries Market (Sui)
Auditor: MoveBit
Report Date: June 2023
Description:
The functions get_reserve_detail_mut_by_address() and get_reserve_detail_mut() return mutable objects. It is best not to set this type of function as a public function, as it may bring risks.
Incongruities in Role Management Checks
Severity: Low
Ecosystem: Aptos
Protocol: Aptos Labs Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
The role management verifications are flawed in multiple functions, resulting in improper access control and inconsistencies between the actual implementation and the documentation.
Flash Loan Accessibility Restriction
Severity: Low
Ecosystem: Aptos
Protocol: Meso Lending
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: July 2024
Description:
In lending_pool, start_flashloan, and end_flashloan are marked as public(friend), implying they may only be called by other modules or addresses that are designated as friends of the module, not by external users directly. This restriction renders the flash loan functionality unusable to the general public, as they will be restricted from triggering these functions.
Limit Bypass Through Stake Coins Invocation
Severity: Low
Ecosystem: Aptos
Protocol: Tortuga
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
stake_router provides two entry points to stake coins:
• stake_router::stake_coins- A permissionless staking endpoint. Takes inCoin
Accessibility Contradiction in the Utilization of swap_exact_x_to_y_direct() Function
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The function swap_exact_x_to_y_direct() is a friend function, yet it's only called within the current module and not in any other modules. Therefore, it behaves as a private function, which contradicts the intended access permissions for this function.The function swap_exact_y_to_x_direct() and update_pool() also suffers from the same issue.
Lack of #[test] Attribute
Severity: Low
Ecosystem: Aptos
Protocol: StreamFlow
Auditor: MoveBit
Report: https://movebit.xyz/reports/StreamFlow2-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
The init_module_test function is missing the test #[test] attribute tags, missing them would cause the function to be compiled into the program and, since the permissions are public, any user can call the function.
The Admin Lacks the Permission for the BurnExecuteCapability Capability
Severity: Low
Ecosystem: Aptos
Protocol: Merkle Trade Smart Contract
Auditor: MoveBit
Report: https://movebit.xyz/reports/Merkle-Trade-Smart-Contract-Audit-Report.pdf
Report Date: July 2023
Description:
The admin can only register the ExecuteCapability to other addresses, but the admin lacks permission for the burn ExecuteCapability capability. The following code only allows the executor candidate to burn the ExecuteCapability.
The function init_reward_container is missing caller constraints
Severity: Low
Ecosystem: Aptos
Protocol: Aries Market(Aptos)
Auditor: MoveBit
Report Date: Feb 2023
Description:
The function init_reward_container should only allow @aries calls, but there is no restriction here.
lp_account::retrieve_signer_cap should be a friend to liquidity_pool
Severity: Low
Ecosystem: Aptos
Protocol: LiquidSwap
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Pontem Liquidswap - Zellic Audit Report.pdf
Report Date: Nov 2022
Code Snippet: N/A
Description:
The function lp_account:)retrieve_signer_cap can currently be called by any module. If lp_account:)retrieve_signer_cap is called by a function other than liquidity_ pool:)initialize, then the initialization process of Liquidswap will be unable to move forward. Impact The initialization of Liquidswap can be griefed. This will make liquidswap inaccessible to any users.
default_reserve_interest_rate_strategy::set_reserve_interest_rate_strategy should be
declared as public(friend)
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Core
Auditor: Spearbit
Report Date: Jun 2025
Description:
The current implementation of set_reserve_interest_rate_strategy in the default_reserve_interest_rate_strategy module declares the function as public entry and allows any authed user to initialize or update the interest rate configuration of a reserve (existing or not) without any insurance if the reserve index has been already updated. The function should be declared as public(friend) and only the pool_configurator module should be allowed to call it.
EmergencyWithdrawal spoofing
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Periphery
Auditor: Spearbit
Report:
Report Date: Jun 2025
Description:
The create_pull_rewards_transfer_strategy function can be called by anyone to receive the PullRewardsTransferStrategy resource on the object given by the constructor_ref. This object can then be used in the other public function pull_rewards_transfer_strategy_emergency_withdrawal to spoof emergency withdrawals of the module. While one cannot impersonate the legitimate PullRewardsTransferStrategy with the real rewards_admin and rewards_vault, one can spoof other objects created by oneself and they will all emit the EmergencyWithdrawal of the module.
Allocation of Excessive Privileges to Listing Admin
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.1-3.3 Core
Auditor: OtterSec
Report: https://github.com/aave/aptos-aave-v3/blob/main/audits/Ottersec Aave Aptos V3.1-V3.3 Report.pdf
Report Date: Aug 2025
Description:
The asset listing admin may arbitrarily modify reserve configurations via set_reserve_configuration_with_guard, effectively bypassing role separation and increasing governance risk.
Unauthorized initialization function
Severity: Low
Ecosystem: Aptos
Protocol: Yeap Finance
Auditor: SlowMist
Report Date: July 2025
Description:
The Yeap Finance protocol has multiple critical initialization functions that lack proper access control mechanisms, allowing any user to call these functions for system initialization. Attackers may control configuration objects to set malicious parameters.