Low Findings
Emergency State Allows Immediate Treasury Withdrawal Bypassing Time Restrictions
Severity: Low
Ecosystem: IOTA Mainnet
Protocol: Pools Finance
Auditor: Hacken
Report: https://hacken.io/audits/pools-finance/sca-pools-finance-pools-contracts-may2025/
Report Date: June 2025
Description:
The emergency mechanism in the staking protocol allows treasury administrators to bypass the standard 3-month waiting period and immediately withdraw all reward tokens from active pools. This creates a potential for privileged users to drain reward funds before users can claim their earned rewards.
Function Optimization
Severity: Low
Ecosystem: Sui
Protocol: TurboStar Smart Contract
Auditor: MoveBit
Report Date: May 2023
Description:
The functions transfer_funds_to_self() and transfer_funds() have almost identical logic, with just the recipient address being different. To simplify the code, we can directly call the transfer_funds() from within the transfer_funds_to_self() and pass in the account owner’s address.
extract_balance Code Optimization
Severity: Low
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: May 2023
Description:
The function of the extract_balance function is to extract the number of coins from the coins vector, and the if condition in the first part of the while loop can be greater than or equal to simplify the logic.
Centralization Risks
Severity: Low
Ecosystem: Aptos
Protocol: PatronusFi
Auditor: MoveBit
Report Date: Mar 2023
Description:
The bank can offer a borrow capability to any address, same time a borrow capability can extract coins from the vault indefinitely.
Centralization risk in minimum delegation amount
Severity: Low
Ecosystem: Aptos
Protocol: Tortuga Liquid Staking
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Tortuga Liquid Staking - Zellic Audit Report.pdf
Report Date: Oct 2022
Description:
The set_min_delegation_amount function allows pool owners to set an arbitrary value for the minimum delegation amount without any constraints. So, a pool owner could set the value to the maximum u64, effectively making it impossible for anyone except the owner or protocol to delegate APT to a managed_stake_pool.
Centralized emergency withdrawal functionality
Severity: Low
Ecosystem: Aptos
Protocol: Propbase
Auditor: Hacken
Report: https://hacken.io/audits/propbase/sca-propbase-staking-feb2024/
Report Date: Feb 2024
Description:
In an emergency scenario, the staking contract is able to be stopped and emergency_asset_distribution() function helps return stakes and rewards to users. However, only owner is able to use this function. This means, users stop having control over their tokens if the owner stops the contract. The owner has nothing to gain from withholding user tokens. Nevertheless, users should always have control over their tokens.
Allowing the Protocol Admins to Pause Liquidation Operations Can Lead to Bad Debt
Severity: Low
Ecosystem: Aptos, Initia, and Movement
Protocol: Echelon Market
Auditor: Quantstamp
Report Date: Mar 2025
Code: N/A
Description:
The protocol allows the administrator to pause different operations independently. One of these operations is liquidations. However, during high volatility, this can lead to huge amounts of bad debt piling up very quickly.