Medium Findings
Ineffective Revocation of Submitter Privileges
Severity: Medium
Ecosystem: IOTA Mainnet
Protocol: Echo Protocol Bridge
Auditor: Hacken
Report: https://hacken.io/audits/echo-protocol/sca-echo-protocol-bridge-iota-jul2025/
Report Date: Aug 2025
Description: The access control mechanism for submitters is flawed. The check within approve_token_transfer only verifies that a transacting address exists as a key in the submitters map, but completely ignores the associated boolean flag indicating if it is active. Consequently, a submitter whose privileges have been revoked (active = false) can still successfully call approve_token_transfer, defeating the revocation mechanism entirely.
Pool Griefing Possibility
Severity: Medium
Ecosystem: IOTA Mainnet
Protocol: Pools Finance
Auditor: Hacken
Report: https://hacken.io/audits/pools-finance/sca-pools-finance-pools-contracts-may2025/
Report Date: June 2025
Description:
The deposit_reward_coins function is exposed as a public entrypoint without any access control, meaning any user can add rewards to any pool at any time before it expires. A malicious actor can exploit this by repeatedly depositing a minimal amount of reward tokens. Each small deposit is sufficient to extend the pool's end_timestamp, which in turn resets the three-month waiting period required for a treasury withdrawal. This can be used to perpetually postpone the treasury's ability to reclaim leftover funds, effectively locking them in the contract indefinitely and causing a denial of service on the treasury withdrawal functionality.
Authorization in xaum_indicator_core update functions
Severity: Medium
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
The xaum_indicator_core module exposes several update functions — including set_price_9dec, update_price_storage_external, and init_ema_values — that can be invoked publicly without any access control.
Rewarder Emissions On Pool Assets Drain LP Liquidity
Severity: Medium
Ecosystem: Supra Network
Protocol: DexLyn Smart Contract
Auditor: HackenProof Contest SRs
Report: https://hackenproof.com/reports/DEXLYNCA-102
Report Date: Oct 2025
Description:
A malicious rewarder authority can therefore emit rewards denominated in the pool asset and claim them, directly draining LP capital while accounting invariants mask the shortfall.
Lack of Whitelist Control in Flash Loans
Severity: Medium
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: Jun 2023
Description:
borrow_flash_loan function missing whitelist control, any borrower can initiate flash loan.
Missing Permission Verification in fund function
Severity: Medium
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description:
Anyone can call the fund function and fund campaign.
Wrong event access permission
Severity: Medium
Ecosystem: Sui
Protocol: Sui AMM Swap
Auditor: MoveBit
Report Date: Nov 2022
Description:
Emit functions are public and can be called by anyone, could pretend to successfully call add_liquidity/remove_liquidity/swap and may cause logic errors in the other code.
Direct Invocation Risk in unstake_tokens() and claim_rewards() Functions in stake Module
Severity: Medium
Severity: High
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
It's advisable for this function to also use a friend function to control its invocation.
Initialize Function Lacks Privilege Control
Severity: Medium
Ecosystem: Aptos
Protocol: MoveGPT
Auditor: MoveBit
Report: https://movebit.xyz/reports/MoveGPT-Final-Audit-Report.pdf
Report Date: Apr 2024
Description:
The initialize function can be called by any user and passed any parameter.
Bad validation condition for function caller
Severity: Medium
Ecosystem: Aptos
Protocol: Aries Market
Auditor: MoveBit
Report Date: June 2023
Description:
controller::add_reserve currently asserts the caller must be the @aries address, preventing calls from other addresses set in controller::init. Replace with assert_is_admin(signer::address_of(account)) for proper admin verification.
Function visibility issue
Severity: Medium
Ecosystem: Aptos
Protocol: Transit Finance
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Transit-Finance-Audit-Report.pdf
Report Date: Nov 2022
Description:
emit_event_swap in aggregator module, is public and anyone can call it.
Deploy contract without multi-sig
Severity: Medium
Ecosystem: Aptos
Protocol: Transit Finance
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Transit-Finance-Audit-Report.pdf
Report Date: Nov 2022
Description:
Doesn't use a multi-sig contract for deployment.
Deploy contract without multi-sig
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
Doesn't use a multi-sig contract for deployment.
Lack of AC in Metadata Setters
Severity: Medium
Ecosystem: Sui
Protocol: Recrd
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2024
Description:
This allows anyone to invoke these setter functions to modify the metadata fields, resulting in unauthorized changes.