Low Findings
get_coin_type are get_fee_coin_type are redundant
Severity: Low
Ecosystem: Sui
Protocol: Bluefin RFQ
Auditor: Asymptotic
Report: https://bluefin.io/blog/doc/bluefin_rfq_audit.pdf
Report Date: Feb 2025
Description:
Unless we are missing something, get_coin_type is actually idempotent. type_name::into_string just returns the name of the type, does not do any special conversion to ASCII. Further converting from UTF8 to bytes and back to UTF8 is redundant.
But assuming that it would actually do something, it would be potentially harmful: the point is to have a 1-to-1 connection between the coin type keys in Vault and the coin type included in the externally-signed Quote. If somehow two coins would transform to the same string via get_coin_type , this would allow an attacker to pay with a different coin type. Still, even this scenario is not possible as borrow_mut would fail with EFieldTypeMismatch.
Unnecessary public entry modifiers
Severity: Low
Ecosystem: Sui
Protocol: ZO Perps(Sudo)
Auditor: Asymptotic
Report: https://info.asymptotic.tech/sudo-audit-report
Report Date: Mar 2025
Description:
A function should be either public or entry, not both. An entry function can called from a PTB, but not from another module/package. An entry function can change it’s declaration on package upgrades. We recommend deciding on which functions should be called from other packages, which should be public, and the rest should be entry. If you want maximum flexibility, you can create entry functions that call directly the public functions, and call the entry functions from the transactions.
Redundant Code Duplication for Liquidity Calculations
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The codebase contains duplicate implementations of critical mathematical functions related to liquidity calculations. Specifically, there is a copy of get_amount_by_liquidity from the clmm_math module directly in the pool module. Additionally, there's a renamed copy of get_liquidity_by_amount (renamed to contain "from" instead of "by"). These duplications create unnecessary maintenance burden and increase the risk of inconsistencies between implementations.
Redundant Math Functions in full math u128 and math u128
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: Asymptotic
Report Date: Aug 2025
Description:
The full math u128 module contains several utility functions: • overflowing add / overflowing sub • wrapping add / wrapping sub • min / max These are also present in math u128, where they logically belong. However, only full math u128 is actively used throughout the codebase, while math u128 is not. This duplication increases maintenance overhead and the risk of inconsistencies.
Use of Magic Error Codes and Unused Error
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: Asymptotic
Report Date: Aug 2025
Description:
Several modules use hardcoded numeric literals (””magic numbers””) as error codes in assert! statements, rather than referencing named error constants. This practice reduces code clarity and increases the risk of inconsistencies or accidental overlap with actual error codes: • slipppage check.move, lines 5, 7: assert!(arg1 ¡ pool::sqrt price¡T0, T1¿(arg0), 111); • storage/tick.move, line 132: assert!(liquidity gross after ¡= max liquidity, 99); • storage/pool.move, line 293: assert!(enabled, 999); • utils/bit math.move, lines 2, 47: assert!(value ¿ 0, 0); • utils/sqrt price math.move, lines 82, 91: assert!(current price ¿ 0 && liquidity ¿ 0, 4); • storage/tick bitmap.move, lines 7, 80: assert!(mmt v3::i32::abs u32(value) ¡ 256, 0); assert!(mmt v3::i32::abs u32(tick index) % tick spacing == 0, 0); Some of these values overlap with actual error codes defined in error.move. Additionally, the invalid amounts error code is defined but not used anywhere in the codebase.
Misleading and Non-Descriptive Naming Across Core Modules
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: Asymptotic
Report Date: Aug 2025
Description:
Incorrect or misleading names for functions and parameters create significant risks during code review, auditing, and maintenance. They can lead to developer confusion, implementation errors, and make it extremely difficult to identify bugs or security vulnerabilities. Multiple parameters and variables in codebase are named completely differently from their actual use, creating significant confusion and maintainability risks.
Redundant Function Calls in wrap_unstake_ticket
Severity: Low
Ecosystem: Sui
Protocol: Volo
Auditor: MoveBit
Report: https://movebit.xyz/reports/Volo-Smart-Contract-Audit-Report.pdf
Report Date: Sep 2023
Description:
It has been observed that redundant function calls are made to retrieve parameters already available from the initialized UnstakeTicket struct. The functions get_value, get_unlock_epoch, and get_unstake_fee are called despite these values being accessible directly from the struct's initialization parameters.
Set the Deprecated Module friend
Severity: Low
Ecosystem: Sui
Protocol: Dola Protocol
Auditor: MoveBit
Report: https://movebit.xyz/reports/Dola-Protocol-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
The lending_logic module sets up the deprecated lending_portal as a friend module, and also no functions from lending_logic are used in lending_v2.
Reward Distribution Can Be Refactored
Severity: Low
Ecosystem: Sui
Protocol: Cetus Farming Smart Contracts
Auditor: MoveBit
Report: https://movebit.xyz/reports/Cetus-Farming-Smart-Contract-Final-Audit-Report.pdf
Report Date: Jan 2024
Description:
In pool.move several functions use a while loop to update and calculate the pool rewards. For example, the one in add_liquidity_fix_coin is the same as the one in remove_liquidity.
Unused Function
Severity: Low
Ecosystem: Sui
Protocol: Cetus Farming Smart Contracts
Auditor: MoveBit
Report: https://movebit.xyz/reports/Cetus-Farming-Smart-Contract-Final-Audit-Report.pdf
Report Date: Jan 2024
Description:
The function borrow_mut_pool_share() is not utilized within the contract. Redundant functions like this may result in higher gas consumption during deployment and can impact the overall readability of the contract.
Code Optimization
Severity: Low
Ecosystem: Sui
Protocol: Fluidity
Auditor: MoveBit
Report: https://movebit.xyz/reports/Fluidity-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
There are statements in the contract that use Boolean variables to compare with Boolean values, such as global.paused == false, and it is recommended that just use the value of that field directly.
The Function’s Functionality Does Not Match its Naming
Severity: Low
Ecosystem: Sui
Protocol: TurboStar Smart Contract
Auditor: MoveBit
Report Date: May 2023
Description:
The function’s functionality does not match its naming. The actual function updates the time, but the function name implies that it adds time.
Gas Optimization
Severity: Low
Ecosystem: Sui
Protocol: Legend of Arcadia
Auditor: MoveBit
Report Date: June 2023
Description:
The if of L268 can be deleted, and then the loop can be changed to while, which can improve code readability and save gas.
Redundant Test Code
Severity: Low
Ecosystem: Sui
Protocol: Legend of Arcadia
Auditor: MoveBit
Report Date: June 2023
Description:
sources/multisig_example.move is the test code, it is recommended to delete it or move it to the test directory and add the test_only annotation.
Meaningless Code
Severity: Low
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: May 2023
Description:
ManagerCap is always created in some functions, but ManagerCap is not used anywhere, only it is finally destroyed and used.
Code Readability And Gas Optimization
Severity: Low
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: May 2023
Description:
The second borrow_mut can be replaced by the variable payoff_config above, which can improve readability and save gas, also set_strike can be modified like this.
Deposit Extra Code
Severity: Low
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: May 2023
Description:
In the deposit function, the amount has been limited to be greater than 0, and the value of balance and amount is asserted to be the same, so the return value of extract_balance will never be the zero_balance, and destroy_zero is not required.
extract_balance Update Error
Severity: Low
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: May 2023
Description:
After extract_balance is updated, if the extracted amount is insufficient and will abort inside the function, so there is no need to judge E_INSUFFICIENT_BALANCE outside the function, it is recommended to delete it.
Inconsistent Error Code Format in Assert Statements
Severity: Low
Ecosystem: Sui
Protocol: Aries Market (Sui)
Auditor: MoveBit
Report Date: June 2023
Description:
The use of the integer value 0 as an error code in assert statements at line 257 of the file profile.move, line 189 of reserve_config.move, and lines 220-221 of controller.move violates the standard error code conventions. This inconsistency makes it difficult to convey accurate error information to users or developers.
Premature Assertion Checks
Severity: Low
Ecosystem: Sui
Protocol: Aries Market (Sui)
Auditor: MoveBit
Report Date: June 2023
Description:
The assertion check at line 458 in lending.move can be moved to the top of the function to reduce gas expenditure.
Swap Gas Optimization
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
When the index of next_sqrt_price and pool's current_sqrt_price are equal, there is no need to update current_sqrt_price, they only need to update when they are not equal.
Redundant Functions
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description: The two functions contains and is_some_and_eq are logically the same.
Multiple Coin Object Support
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
Because each token of Sui is independent, it is recommended to support vector<Coin
Remaining TODO
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
There is still a part of TODO in the code, it is recommended to check whether the functions are complete.
Functions with Similar Functionality
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
Within fee_on_transfer.move , the functions get_info() and get_fee_on_transfer_info() serve the same purpose. The only difference lies in their visibility. get_fee_on_transfer_info() can entirely replace get_info(). Redundant code may lead to increased gas consumption and impact code readability.
Code Refactoring Suggestions in router_v2 Module
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
In the router_v2 module, lines 40, 54, 69, and 82 can be replaced with a function named assert_pair_is_created() , as they serve the same purpose. This change would enhance readability and understanding while reducing code duplication. Additionally, the code on line 55 is repeated across multiple functions and could be encapsulated into its function for reusability.
The Specification for Assert Statements
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The error codes in assert statements show a number of '1's. Best practice suggests using constants, ensuring different error code constants have distinct values.
Optimization through Consolidating claim_rewards() and unstake_tokens() Functions
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The functions claim_rewards() and unstake_tokens() within the stake module have almost identical code. Invoking unstake_tokens(sender, 0) within the claim_rewards() function achieves the same effect. Encapsulating the code within the unstake_tokens() function into a common function for caller use reduces redundant code and enhances readability and understanding.
Redundant Operations in the Code
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
In the function swap_v2.distribute_dex_fees(), it is unnecessary for the protocol to extract liquidity_fee_coins from metadata.balance_y and then immediately merge it back into metadata.balance_y.
Code Redundancy in The toggle_individual_token_liquidity_fee() Function
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The code below has redundant blocks of code for both branches where
type_info::type_of
Redundant Pair Creation Check in init_rewards_pool() Function
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The purpose of the function router_v2.create_rewards_pool () is to create a rewards pool for a pair of tokens (X, Y or Y, X).
After checking whether a pair of tokens (X, Y or Y, X) has been created using swap_v2.is_pair_created() and raising an error (E_PAIR_NOT_CREATED), the code proceeds to call swap_v2.init_rewards_pool() . However, within the init_rewards_pool() function, there is an additional check for the creation of the pair. This redundant pair creation check inside the init_rewards_pool function is unnecessary and duplicates the validation already performed in the calling function.
Unnecessary Boolean Comparison
Severity: Low
Ecosystem: Aptos
Protocol: MoveGPT
Auditor: MoveBit
Report: https://movebit.xyz/reports/MoveGPT-Final-Audit-Report.pdf
Report Date: Apr 2024
Description:
There are statements in the contract that use Boolean variables to compare with Boolean values, such as order_is_exist(order_id,buy_orders) == false , and it is recommended to just use that field's value directly.
Code Optimization
Severity: Low
Ecosystem: Aptos
Protocol: MoveGPT
Auditor: MoveBit
Report: https://movebit.xyz/reports/MoveGPT-Final-Audit-Report.pdf
Report Date: Apr 2024
Description:
There is a lot of duplicate code in the set* function associated with setting global variables, such as vesting_config.start = new_start_time or vesting_config.vesting_duration = new_duration_time, and the same code can be extracted to make the code more readable.
Deprecated Function can Still be Used
Severity: Low
Ecosystem: Aptos
Protocol: StreamFlow
Auditor: MoveBit
Report: https://movebit.xyz/reports/StreamFlow2-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
The comments of the collect_fees function indicate that this function has been deprecated and should not be used, but the function can still be called normally, which may cause unnecessary losses.
Redundant conditional statement
Severity: Low
Ecosystem: Aptos
Protocol: Mokshya/Wapal Aptos NFT Mint Smart Contract
Auditor: MoveBit
Report Date: Mar 2023
Description:
Whether to enter the if (nfts < 1024) statement in the function candymach ine::create_bit_mask has no effect on the values of full_buckets and remaining.
Assertions can be optimized
Severity: Low
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
In the coin::destroy_zero function, it will be judged whether the balance of the coin is 0, and it will only be destroyed when it is 0, so there is no need to judge whether the value is 0 in the source code.
Too many repetitive codes
Severity: Low
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
The two directories in the screenshot below have more than 90% of the same codes, the code maintenance is more troublesome.
Many TODOs in code
Severity: Low
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
There are still many TODOs in code, such as spec files, work, and unit tests which should be completed.
pool:: add_liquidity_fix_coin & pool::add_liquidity have many duplicated codes
Severity: Low
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol(Aptos)
Auditor: MoveBit
Report Date: Jan 2023
Code Snippet: N/A
Description:
These two functions are very important to add liquidity, but they have 80% duplicated codes, which can be wrapped into a common function, and improve the code maintainability.
Gas cost is higher than other DEX
Severity: Low
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol(Aptos)
Auditor: MoveBit
Report Date: Jan 2023
Description:
We tested create_pool, add_liquidity and swap in module clmm_router, and we found the average gas consumption for these operations is 0.0n level. This is somehow higher than other AMM DEX. As a CLMM DEX, Cetus definitely will have higher gas, and we already found some gas-optimization issues which Cetus has already taken, but Cetus still should improve to reduce the gas.
The definition of the variable should be placed where it is used
Severity: Low
Ecosystem: Aptos
Protocol: Transit Finance
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Transit-Finance-Audit-Report.pdf
Report Date: Nov 2022
Description:
The function get_intermediate_out_from_dexs in the aggregator module defines let amount_in_value = coin::value(&x_in); at the beginning, but the amount_in_value is used only under the dex_type == AUX_DEX condition.
All comments starting with the first letter without capitalization
Severity: Low
Ecosystem: Aptos
Protocol: MoveDID
Auditor: MoveBit
Report Date: Nov 2022
Code Snippet: N/A
Description:
The codes have inconsistent comment style with Aptos Framework.
Identical log events
Severity: Low
Ecosystem: Aptos
Protocol: Yeap Finance
Auditor: SlowMist
Report Date: July 2025
Description:
There are multiple instances of identical event emission issues in the Yeap Finance protocol, which can make it difficult for off-chain systems to distinguish the operation functions that trigger the events, potentially leading to errors in off-chain business systems.