Medium Findings
Admin can re-initialize rewards multiple times
Severity: Medium
Ecosystem: Sui
Protocol: Momentum
Auditor: Sherlock
Report Date: Nov 2025
Description:
The admin entrypoint that initializes rewards does not enforce a “one-time only” invariant. As a result, an authorized caller can invoke initialization repeatedly, resetting the pool’s reward timing markers and recomputing emission against a fresh start, which can corrupt accrual semantics and disrupt distribution.
GaugeCap Owner Can Block Fee Collection
Severity: Medium
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The GaugeCap owner possesses excessive privileges to permanently block fee collection for all position owners in the protocol by calling mark_position_staked.
Admin Privilege Abuse (Centralization Risk)
Severity: Medium
Ecosystem: Sui
Protocol: MoviePass Exchange -MSX Smart Contracts
Auditor: Certora
Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/03_02_2025_MoviePass_MSX-MR.pdf
Report Date: Feb 2025
Description:
Admin can control any user’s custodial pool, posing a serious risk if the admin account is compromised.
Oracle Centralization Risk
Severity: Medium
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: Apr 2023
Description:
All prices rely on typus_oracle::oracle; if its private key is compromised, attackers could manipulate prices. Mitigation: use a multisig-controlled oracle, verify return values, or integrate a trusted third-party oracle.
Centralization Risk
Severity: Medium
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description:
Multiple admin functions present centralization risk; acknowledged and mitigated by adopting a multi-sig wallet.
Centralization Risk
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: June 2023
Description:
Single immutable admin account poses centralization risk; recommend replacing with a multi-sig account.
Excessive Priviledge Concentration
Severity: Medium
Ecosystem: Aptos
Protocol: Yeap Finance
Auditor: SlowMist
Report Date: July 2025
Description:
A single governance entity holds nearly unlimited permissions and can arbitrarily modify key protocol parameters, lacking effective checks and balances.
Excessive Administrator Privileges in update_team_reward Function
Severity: Medium
Ecosystem: Aptos
Protocol: TokimonsterAI
Auditor: ExVul
Report Date: May 2025
Description:
The update_team_reward function allows unrestricted admin control to change the team_reward parameter at any time.
Centralization Risk
Severity: Medium
Ecosystem: Aptos
Protocol: Thala Labs Aptos Dollar
Auditor: Zellic
Report Date: Oct 2022
Description:
Protocol managers can control oracle price, initialize vaults and CoinTypes used in protocol, and control the minimum collateralization ratio and redemption fees.
The admin account can freeze any user’s account
Severity: Medium
Ecosystem: Aptos
Protocol: AptoPad
Auditor: MoveBit
Report Date: Feb 2023
Description:
Admin can block withdrawals and transfers of APD coins, granting excessive control and creating a significant centralization risk.