Critical Findings
max_liquidity_factor computation is incorrect
Severity: Critical
Ecosystem: Sui
Protocol: Kai Finance
Auditor: Asymptotic
Report: https://info.asymptotic.tech/kai-leverage-verification-report-6ec808dd2adc4b55a4e30f0512260a70
Report Date: Aug 2024
Description: This function calculates the maximum liquidation factor for a financial position based on its current margin level. The denominator computation for one case is incorrect: it uses current_margin_x64 instead of liq_margin_x64.
Arithmetic Overflow in Liquidity Pricing Causes Complete DOS
Severity: Critical
Ecosystem: IOTA Mainnet
Protocol: Pools Finance
Auditor: Hacken
Report: https://hacken.io/audits/pools-finance/sca-pools-finance-pools-contracts-may2025/
Report Date: June 2025
Description: An arithmetic overflow vulnerability has been identified in the protocol's core liquidity pricing mechanism. This vulnerability allows attackers to manipulate pool reserves using flash loans, creating conditions where any user attempting to add liquidity will trigger a mathematical overflow that crashes the entire liquidity provision system.
The vulnerability exists in a critical pricing function amm_utils::quote that calculates how much of one token should be received when providing another token for liquidity. The function performs mathematical calculations that can result in extremely large numbers, but it fails to validate whether these numbers are safe to use before converting them to the protocol's standard number format.
Incorrect token amount calculation during transfer
Severity: Critical
Ecosystem: Supra Chain
Protocol: Dexlyn Hyperlane
Auditor: Hacken
Report: https://hacken.io/audits/dexlyn/sca-dexlyn-hyperlane-monorepo-dec2024/
Report Date: Dec 2024
Description:
In the transfer_remote and transfer_remote_with_gas functions of both hyper_coin_collateral.move and hyper_coin.move, there is an issue in the token amount calculation when source decimals are greater than destination decimals.
The code is incorrectly assigning the scaled-down data_amount directly to amount, resulting in users being charged less tokens than they should be on the source chain.
Share Price Manipulation
Severity: Critical
Ecosystem: Sui
Protocol: Bluefin Spot
Auditor: OtterSec
Report: https://www.notion.so/a296e98838aa4fdb8f3b192663400772
Report Date: Nov 2024
Description: The bluefin_vault contract is vulnerable to rounding manipulation attacks due to improper handling of token-to-share conversion rates, allowing exploitation of precision errors in share valuation. Additionally, inconsistent conditions in the shares calculation logic may cause deposits to yield zero shares when vault balances are mismatched, leading to potential fund loss.
Interest Rate Calculation Error
Severity: Critical
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: Jul 2023
Description: The SECOND_PER_YEAR constant is sometimes incorrectly calculated with milliseconds, resulting in a value 1000 times larger than intended, causing significant interest rate miscalculations.
Numerical Precision Error
Severity: Critical
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description: In the repay function, the excess amount after repayment is returned through pool::withdraw, but excess_amount is not converted to decimal precision, causing incorrect amounts to be returned to users.
Flawed Validations Lead To Inaccuracies
Severity: Critical
Ecosystem: Sui
Protocol: Navi
Auditor: OtterSec
Report: https://www.notion.so/a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description: In validator.move, validation functions for lending operations use scaled balances (supply and borrow) in conjunction with unscaled amounts, leading to calculation inconsistencies and inaccuracies across multiple functions.
Improper Conversion
Severity: Critical
Ecosystem: Sui
Protocol: Bucket
Auditor: OtterSec
Report: https://www.notion.so/a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description: When repay_amount is greater than or equal to Bottle debt, the returned collateral is calculated as 1.1 times the debt amount. However, the debt amount is not adjusted based on the collateral token's decimals during conversion, resulting in improper collateral values (return_sui_amount).
Calculation Formula Error when Adding Liquidity
Severity: Critical
Ecosystem: Sui
Protocol: KriyaDEX
Auditor: MoveBit
Report Date: Apr 2023
Description: In the get_amount_for_add_liquidity function, the formula for obtaining the other token quantity through one token quantity is incorrect, directly affecting the liquidity addition functionality for users.
Incorrect Formula
Severity: Critical
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: Apr 2023
Description: The amount_to_refund calculation should also be divided by DecimalPrecision after being multiplied by it, preventing precision loss in refund amounts.
remove_liquidity does not call update_rewarder
Severity: Critical
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
remove_liquidity does not call update_rewarder which will cause reward cumulative error.
Broken Stable Curve Math
Severity: Critical
Ecosystem: Aptos
Protocol: Pontem (Liquidswap)
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Sep 2025
Description:
The liquidity_pool::compute_and_verify_lp_value function, checks if the lp value is the same before and after a swap. When dealing with a stable curve, the lp value before the swap, is calculated incorrectly.
Overflow In Calculating Delta B
Severity: Critical
Ecosystem: Sui
Protocol: Cetus
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2023
Description:
The function get_delta_b is used to calculate the amount_b for specified liquidity. However, its implementation relies on the assumption that themultiplication ofliquidityandsqrt_price_diff returns the value < 2**128 which does not require to be true.