Low Findings
Unused variable
Severity: Low
Ecosystem: Supra Chain
Protocol: Dexlyn Hyperlane
Auditor: Hacken
Report: https://hacken.io/audits/dexlyn/sca-dexlyn-hyperlane-monorepo-dec2024/
Report Date: Dec 2024
Description:
In move/synthetic-tokens/sources/hyper_coin.move and move/tokens/sources/hyper_coin_collateral.move, the State struct contains an unused vector field received_messages that stores message data but is never accessed or utilized in the contract logic.
ActionGroup, VaultConfig, and ModuleConfig have unwanted copy and drop
Severity: Low
Ecosystem: Sui
Protocol: Aeon
Auditor: Asymptotic
Report: https://info.asymptotic.tech/aeon-audit-report#262c1aef2c7042b7816a0015ed4a0051
Report Date: Feb 2025
Description:
public struct ActionGroup has store { .. } instead of public struct ActionGroup has copy, drop, store { .. }. Same for public struct VaultConfig has store { .. } and public struct ModuleConfig has store { .. } .
Insecure Coin Metadata Object Handling
Severity: Low
Ecosystem: Sui
Protocol: SatLayer Sui
Auditor: Asymptotic
Report: https://info.asymptotic.tech/satlayer-audit
Report Date: Mar 2025
Description:
Coin metadata in the lbtc module is handled insecurely during initialization. The module uses transfer::public_share_object(meta) instead of transfer::public_freeze_object() when creating a new coin currency. This allows the coin metadata to remain mutable, which could lead to unauthorized modifications of the coin's properties.
Duplicate Error Codes Across Modules
Severity: Low
Ecosystem: Sui
Protocol: ZO Perps(Sudo)
Auditor: Asymptotic
Report: https://info.asymptotic.tech/sudo-audit-report
Report Date: Mar 2025
Description:
Multiple modules in the project (position.move, market.move, add_price.move, orders.move) are using overlapping error code values. This creates ambiguity when errors occur and makes it difficult to track and maintain the complete list of error codes across the system. The lack of unique error codes can lead to incorrect error handling and debugging challenges.
Incorrect Error Constant For Rebase Fee
Severity: Low
Ecosystem: Sui
Protocol: ZO Perps(Sudo)
Auditor: Asymptotic
Report: https://info.asymptotic.tech/sudo-audit-report
Report Date: Mar 2025
Description:
In the market.move contract, the deposit, withdraw, and swap functions check the rebase fee model but use an incorrectly named error constant. The assertion uses ERR_MISMATCHED_RESERVING_FEE_MODEL when validating the rebase fee model.
Incorrect Old Values Emitted in Update Events
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
Several configuration and pool update functions emit events that include both the old and new values of updated parameters. However, the old values emitted are incorrect because the new values are written to storage before the event is emitted. As a result, both old and new values in the event payload reflect the new state, misleading off-chain consumers and compromising auditability.
Overlapping Error Codes
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
Multiple modules define error codes with overlapping numeric values, leading to potential ambiguity. Error codes are typically defined sequentially, starting from 0 or 1.
This can lead to ambiguous error reporting and make debugging or on-chain analysis more difficult, as the origin of the error may be unclear.
Unnecessary Mutable Pool Parameter in get_position_amounts
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The get_position_amounts function declares a mutable reference to a Pool (&mut Pool<CoinTypeA, CoinTypeB>) but does not perform any modifications to this object during execution. It unnecessarily restricts concurrent access to the Pool object by other parts of the system.
Some errors are defined, but never used in the logic
Severity: Low
Ecosystem: Sui
Protocol: Momentum
Auditor: Sherlock
Report Date: Nov 2025
Description:
The error.move contains definitions of all errors used across the whole logic and modules of the solution. Few of them, however, are implemented, but never used in any of the flows described in the codebase. These are: • e_already_has_reward_data • e_invalid_max_bond_bonus
Missing Event in Airdrop
Severity: Low
Ecosystem: Sui
Protocol: Momentum
Auditor: MoveBit
Report Date: Nov 2025
Description:
In Airdrop, deposit_tokens and set_airdrop_end_time are missing event logs.
Missing Event in DeedNft
Severity: Low
Ecosystem: Sui
Protocol: Momentum
Auditor: MoveBit
Report Date: Nov 2025
Description:
In DeedNft, upgrade_version and set_version are missing events.
Lack of Events Emit
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: MoveBit
Report Date: Nov 2025
Description:
Some functions in the contract lacks appropriate events for monitoring operations, which could make it difficult to track sensitive actions or detect potential issues.
Variable Naming Errors in Code
Severity: Low
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: MoveBit
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Sep 2025
Description:
frist_score_for_swap should be first_score_for_swap detal_liquidity should be delta_liquidity
Struct not shared
Severity: Low
Ecosystem: Sui
Protocol: Magma Finance
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Magma Finance - Zellic Audit Report.pdf
Report Date: Jan 2025
Description: The Voter and VotingEscrow objects are not properly shared after their creation. This prevents users from accessing these objects when attempting to create a lock and deposit to a gauge, as these operations require access to both the Voter and VotingEscrow objects.
Wrong check for claimable amount
Severity: Low
Ecosystem: Sui
Protocol: Magma Finance
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Magma Finance - Zellic Audit Report.pdf
Report Date: Jan 2025
Description: In the extract_claimable_for function, it checks if the claimable amount is greater than the DURATION. The DURATION is set to 7 * 86400, which is irrelevant to the claimable amount.
Unused Constants
Severity: Low
Ecosystem: Sui
Protocol: Volo
Auditor: MoveBit
Report: https://movebit.xyz/reports/Volo-Smart-Contract-Audit-Report.pdf
Report Date: Sep 2023
Description:
There are two unused constants EPOCH_DURATION and E_LIMIT_TOO_BIG in the native_pool module.
Duplicated Error Codes
Severity: Low
Ecosystem: Sui
Protocol: Aftermath Finance Liquid Staking Derivative
Auditor: MoveBit
Report: https://movebit.xyz/reports/Aftermath-Finance-Liquid-Staking-Derivative-Audit-Report.pdf
Report Date: Nov 2023
Description:
In the staked_sui_vault.move, both error codes EVersionIncompatibility, EDeprecated are set to 0. Though they serve similar functionalities, the former one is used when "The admin calls migrate on an outdated package." and the latter is used when "One tries to call deprecated function." Thus, this could potentially lead to confusion when trying to distinguish between these two types of errors based on their codes.
Redundant Abilities of Event Object
Severity: Low
Ecosystem: Sui
Protocol: Kanalabs Aggregator Smart Contracts
Auditor: MoveBit
Report: https://movebit.xyz/reports/Kanalabs-aggregator-Smart-Contract-Final-Audit-Report.pdf
Report Date: Sep 2023
Description:
Only copy and drop abilities are needed for event objects, so the store is redundant.
Unused Constant
Severity: Low
Ecosystem: Sui
Protocol: Kanalabs Aggregator Smart Contracts
Auditor: MoveBit
Report: https://movebit.xyz/reports/Kanalabs-aggregator-Smart-Contract-Final-Audit-Report.pdf
Report Date: Sep 2023
Description:
The constant CETUX_DEX and TURBOS_DEX are not used in the contract.
Unused Private Function
Severity: Low
Ecosystem: Sui
Protocol: ABEx Labs
Auditor: MoveBit
Report: https://movebit.xyz/reports/Abex-Smart-Contract-Audit-Report.pdf
Report Date: Aug 2023
Description:
The private function burn_lp is not used.
Lack of Event
Severity: Low
Ecosystem: Sui
Protocol: ABEx Labs
Auditor: MoveBit
Report: https://movebit.xyz/reports/Abex-Smart-Contract-Audit-Report.pdf
Report Date: Aug 2023
Description:
The smart contract lacks appropriate events for monitoring sensitive operations, which could make it difficult to track important actions or detect potential issues. Such as: add_ new_vault , add_new_symbol , add_collateral_to_symbol , remove_collateral_from _symbol.
Unused Friend Function
Severity: Low
Ecosystem: Sui
Protocol: ABEx Labs
Auditor: MoveBit
Report: https://movebit.xyz/reports/Abex-Smart-Contract-Audit-Report.pdf
Report Date: Aug 2023
Description:
The friend functions new_referral and refresh_rebate_rate are not used.
Unused Constants
Severity: Low
Ecosystem: Sui
Protocol: ABEx Labs
Auditor: MoveBit
Report: https://movebit.xyz/reports/Abex-Smart-Contract-Audit-Report.pdf
Report Date: Aug 2023
Description:
The constants ERR_MISMATCHED_DECREASE_INTENTION and ERR_INVALID_DE CREASE_AMOUNT are not used.
Lack of Events Emit
Severity: Low
Ecosystem: Sui
Protocol: Dola Protocol
Auditor: MoveBit
Report: https://movebit.xyz/reports/Dola-Protocol-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
The smart contract lacks appropriate events for monitoring sensitive operations, which could make it difficult to track sensitive actions or detect potential issues.
Lack of Events Emit
Severity: Low
Ecosystem: Sui
Protocol: Fluidity
Auditor: MoveBit
Report: https://movebit.xyz/reports/Fluidity-Final-Audit-Report.pdf
Report Date: Feb 2024
Description:
The smart contract lacks appropriate events for monitoring sensitive operations, which could make it difficult to track sensitive actions or detect potential issues.
Unnecessary store Ability for Event Struct
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
The event structure in Sui needs to have the ability to copy and drop, and does not need the store ability.
Lack of Events Emit for the add_risk_model Function and add_interest_model
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
The function add_risk_model lacks events emitted after the new risk model is added. In the best practice, there should be events to notify users that the risk models have been changed. Otherwise, they may deposit according to the old risk model and be surprised. Also found in add_interest_model.
Incorrect Return Value
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
In the obligation_key_uid_mut and obligation_uid_mut functions, the return value should be mutable.
Unused Constant
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
Certain variables declared in the contract are not referenced or utilized in any of the contract's functions or logic. These unused variables add unnecessary complexity to the codebase and can potentially confuse developers or auditors trying to understand the contract's functionality.
Missing Emit Event
Severity: Low
Ecosystem: Sui
Protocol: Talofa
Auditor: MoveBit
Report Date: May 2023
Description:
The smart contract lacks appropriate events for monitoring sensitive operations, which could make it difficult to track important actions or detect potential issues.
Redundant Field Attributes in a Struct
Severity: Low
Ecosystem: Sui
Protocol: TurboStar Smart Contract
Auditor: MoveBit
Report Date: May 2023
Description:
The status field in the PreSale struct is not used.
Sensitive Operation Lacks Event
Severity: Low
Ecosystem: Sui
Protocol: TurboStar Smart Contract
Auditor: MoveBit
Report Date: May 2023
Description:
Some sensitive operations lack Event.
Incorrect Usage of Assert Error Code
Severity: Low
Ecosystem: Sui
Protocol: TurboStar Smart Contract
Auditor: MoveBit
Report Date: May 2023
Description:
The assert error code is used incorrectly. USER_MAX_CAP_REACHED was used instead of USER_MIN_CAP_REACHED.
Useless user Parameter
Severity: Low
Ecosystem: Sui
Protocol: Legend of Arcadia
Auditor: MoveBit
Report Date: June 2023
Description:
The parameter user in pending_proposals has no effect and cannot participate in user address filtering. It is recommended to remove it.
Unused Constant
Severity: Low
Ecosystem: Sui
Protocol: Legend of Arcadia
Auditor: MoveBit
Report Date: June 2023
Description:
There are unused constants in the code such as ERegistered, PROPOSAL_TYPE_MULTISIG_SETTING, it is recommended to delete them.
Unused Constant
Severity: Low
Ecosystem: Sui
Protocol: Suia
Auditor: MoveBit
Report Date: May 2023
Description:
The constants ENOT_ADMIN and EIINVALID_SUIA are not used in suia_capy.move.
Repeated Error Code
Severity: Low
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: May 2023
Description:
The error code constants E_INVALID_TIME_TYPE_INPUT and E_INVALID_OPTION_TYPE have the same value, but should be different.
There are Unused Fields in the Structure
Severity: Low
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description:
The users field in struct Storage is only modified in the entire contract and is not used for any other logic. Similarly, the is_isolated field in struct ReserveData also has the same issue. If these fields are not needed, it is recommended to remove them.
Unused Constants
Severity: Low
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description: There are unused constants in the contract. It is recommended to remove them.
Lacking Events
Severity: Low
Ecosystem: SuiProtocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description:
The smart contract lacks appropriate events for monitoring sensitive operations, which could make it difficult to track important actions or detect potential issues.
Unused Variable
Severity: Low
Ecosystem: Sui
Protocol: KriyaDEX
Auditor: MoveBit
Report Date: May 2023
Description:
The parameter ctx of the function update_pool() is not being utilized, which may result in warnings or unnecessary memory consumption.
Sensitive Operations Require Adding an Event
Severity: Low
Ecosystem: Sui
Protocol: KriyaDEX
Auditor: MoveBit
Report Date: May 2023
Description:
Sensitive operations require adding an event.
Incorrect Order of Variables
Severity: Low
Ecosystem: Sui
Protocol: KriyaDEX
Auditor: MoveBit
Report Date: May 2023
Description:
The function emit_liquidity_added_event() is called with parameters passed in the wrong order when adding liquidity. It should first be token_x_amount and then token_y_amount.
Lack of Vector Coin Support
Severity: Low
Ecosystem: Sui
Protocol: MovEX
Auditor: MoveBit
Report Date: May 2023
Description:
Because of the object model of sui, the entry function can support the coin in the vector, thus supporting the transaction of multiple coins.
Missing Emit Events
Severity: Low
Ecosystem: Sui
Protocol: MovEX
Auditor: MoveBit
Report Date: May 2023
Description:
It is recommended to throw an update event when fee_percent is updated.
Unnecessary store Ability
Severity: Low
Ecosystem: Sui
Protocol: MovEX
Auditor: MoveBit
Report Date: May 2023
Description:
The event structure in Sui needs to have the ability to copy and drop, and does not need the store ability.
Duplicated Seq Contexts Created in execute_admin_operation Function
Severity: Low
Ecosystem: Sui
Protocol: MSafe Maven
Auditor: MoveBit
Report Date: May 2023
Description:
In the execute_admin_operation function, two identical Seq contexts are created by order_context::new_seq_context(maven_id).
Incorrect Parameter Configuration
Severity: Low
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: May 2023
Description:
The description of the token is incorrect. It should not be SuiPad launchpad test token, but SuiPad launchpad token.
Unused Struct
Severity: Low
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: May 2023
Description:
The struct CampaignClosedEvent, RewardsClaimedEvent, InvestmentClaimedEvent are unused in campaign.move, RefundInvestmentEvent in vault.move.
Lack of Event
Severity: Low
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: May 2023
Description:
The smart contract lacks appropriate events for monitoring sensitive operations, which could make it difficult to track important actions or detect potential issues. For example: add_to_whitelist in the whitelist.move.
Misspelled Keywords
Severity: Low
Ecosystem: Sui
Protocol: Aries Market (Sui)
Auditor: MoveBit
Report Date: June 2023
Description:
A misspelling error has been found in the code at line 69 of reserve_config.move where the keyword #[test_only] is misspelled as #[test_onlu]. This typing error can cause a failure in testing when executed.
Unused or Improperly Used Functions and Constants
Severity: Low
Ecosystem: Sui
Protocol: Aries Market (Sui)
Auditor: MoveBit
Report Date: June 2023
Description:
Certain private functions such as oracle::get_oracle_price() and u128_math::approx_eq() are either unused or only used in test functions. Additionally, there are some empty init functions such as reserve_config::init() and profile::init(), as well as constants such as EORACLE_NO_DATA, EORACLE_PRICE_STALE , EORACLE_PRICES_DIVERGE, and U64_MAX that are not being used.
Unused Private Functions
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description: There is a private function remove_tick in the tick module that is not used.
Invalid Capability
Severity: Low
Ecosystem: Aptos
Protocol: Tortuga
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
With the inclusion of the delegation_pool feature, several components require updates to facilitate its integration. However, validator_router::set_withdraw_signature and validator_router::verify_withdraw_signature_for_validator are missing the necessary modifications. When public validators sign up, they must provide their DelegationPoolOwnership capability by invoking delegation_pool::get_owned_pool_address. However, the current version incorrectly assumes aSharesDatacapability as proof of owning astake_pool, resulting in invalid validator sign-ups.
Unused Constant
Severity: Low
Ecosystem: Aptos
Protocol: Supra
Auditor: MoveBit
Report: https://movebit.xyz/reports/Supra-Smart-Contract-Audit-Report.pdf
Report Date: Sep 2023
Code Snippet: N/A
Description:
The constant EOWNER is not used in the contract.
Sensitive Operation Lacks Event
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
In the contract, some sensitive operations lack event listeners, making it difficult for external tracking of changes in related data within the contract. The functions affected by this issue include offer_admin_previliges(), cancel_admin_previliges(), claim_admin_previliges(), and set_dex_liquidity_fee(), among others.
Unused Private Function
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The function assert_pair_is_not_created() defined in module router_v2 is not used, which leads to increased gas consumption and reduces the readability and understandability of the code.
The FeeChangeEvent Structure is Not Being Utilized
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The FeeChangeEvent structure is intended to monitor changes in various fees, but it's not being utilized within the contract. As a result, there's an inability to promptly track changes in fees.
Unused Constant
Severity: Low
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
The main consequence of the Unused Constants defect is the increase in gas costs during module deployment, leading to gas wastage.
Lack of Events Emit
Severity: Low
Ecosystem: Aptos
Protocol: MoveGPT
Auditor: MoveBit
Report: https://movebit.xyz/reports/MoveGPT-Final-Audit-Report.pdf
Report Date: Apr 2024
Description:
The smart contract lacks appropriate events for monitoring sensitive operations, which could make it difficult to track sensitive actions or detect potential issues.
Missing Events For Important Parameter Updates
Severity: Low
Ecosystem: Aptos
Protocol: StreamFlow
Auditor: MoveBit
Report: https://movebit.xyz/reports/StreamFlow2-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
We found that when important parameters are updated in the project, the function doesn't emit the update event, so we suggest emitting the emit event in time so as to notify the user or chain off programs.
Unused Event Should Be Removed
Severity: Low
Ecosystem: Aptos
Protocol: StreamFlow
Auditor: MoveBit
Report: https://movebit.xyz/reports/StreamFlow2-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
There are unused events that may be removed, such as EscrowInitEvent.
Underutilized Constant EID_INVALID in Pegging Module
Severity: Low
Ecosystem: Aptos
Protocol: Amnis
Auditor: MoveBit
Report: https://movebit.xyz/reports/Amnis-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
The constant EID_INVALID in the pegging module is not utilized, potentially impacting code readability and causing unnecessary gas consumption.
Lack of Events Emit
Severity: Low
Ecosystem: Aptos
Protocol: vibrantX
Auditor: MoveBit
Report: https://movebit.xyz/reports/vibrantX-Final-Audit-Report.pdf
Report Date: Jan 2024
Description:
The smart contract lacks appropriate events for monitoring sensitive operations, which could make it difficult to track sensitive actions or detect potential issues.
Inappropriate borrow
Severity: Low
Ecosystem: Aptos
Protocol: Mokshya/Wapal Aptos NFT Mint Smart Contract
Auditor: MoveBit
Report Date: Mar 2023
Description:
In the function candymachine::mint_script , the resource CandyMachine is obtained through borrow_global_mut , but there is no need to modify CandyMachine in this function. Using borrow_global_mut may be risky, and the function candymachine::mi nt_from_merkle also has this problem. The same problem is similar to using table_with_le ngth::borrow_mut in the function candymachine::bucket_table::borrow .
The code specification is not uniform
Severity: Low
Ecosystem: Aptos
Protocol: Aries Market(Aptos)
Auditor: MoveBit
Report Date: Feb 2023
Description:
The calling methods of the two iterable_table::contains in the function remove_collateral_profile are inconsistent, one of which lacks the generic parameters, and the error code of assert should be defined as a constant EPROFILE_NO_BORROWED_RESERVE.
Assertion error code is incorrect
Severity: Low
Ecosystem: Aptos
Protocol: Aries Market(Aptos)
Auditor: MoveBit
Report Date: Feb 2023
Description:
There is an assertion in the function profile::new whether addr owns Profiles, but the returned error code is EPROFILE_ALREADY_EXIST, which should be EPROFILE_NOT_EXIST.
Wrong error code throw function
Severity: Low
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
The code uses permission_denied to throw error codes. Different errors are thrown in different ways in the source code. Therefore, it is recommended to use invalid_argument for parameter errors.
TODO labels still remain in the code
Severity: Low
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol(Aptos)
Auditor: MoveBit
Report Date: Jan 2023
Description:
There are some TODO labels in clmm_math.move , all the left TODO labels are about tests. TODO often means work is not finished or possibility of defects. If we're not sure about the codes, we should write more tests to ensure the codes work correctly.
Missing ;
Severity: Low
Ecosystem: Aptos
Protocol: MoveDID
Auditor: MoveBit
Report Date: Nov 2022
Description:
The set_sign_and_updated_at function is missing a semicolon at the end of the function. This function does not have a return value, adding a semicolon would make it more readable.
Unused Function
Severity: Low
Ecosystem: Aptos
Protocol: MoveDID
Auditor: MoveBit
Report Date: Nov 2022
Description:
This function is not an entry function and has not been called. Add a comment if you plan to use this afterward, otherwise, delete it.
get_oracle_base_currency view function is acquiring a mutable reference to the Global Storage
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Core
Auditor: Spearbit
Report Date: Jun 2025
Description:
The get_oracle_base_currency function is declared as a view function and should not acquire a mutable reference to the global storage.
Missing Event Emit
Severity: Low
Ecosystem: Sui
Protocol: Volo
Auditor: Hacken
Report: https://hacken.io/audits/volo/sca-volo-liquid-staking-aug2023/
Report Date: Sep 2023
Description:
The functions are considered to perform valuable configuration changes, which users should be notified about.
Unused Variables/Structs
Severity: Low
Ecosystem: Sui
Protocol: Volo
Auditor: Hacken
Report: https://hacken.io/audits/volo/sca-volo-liquid-staking-aug2023/
Report Date: Sep 2023
Description:
Unused variables and structs should be removed from the contracts. Although unused variables and structs are allowed in Move and do not pose a direct security issue, it is best practice to avoid them as they can cause an increase in computations (and unnecessary Gas consumption) and decrease the code readability.
Lack of Account Registration Check for Coin
Severity: Low
Ecosystem: Aptos, Initia, and Movement
Protocol: Echelon Market
Auditor: Quantstamp
Report Date: Mar 2025
Description:
Different functions in the isolated_lending::isolated_lending module work with Move Coin. However, they miss proper registration for the coin before calling the coin::deposit function.
missing emiting EventOpenBinStepPreset when bin is removed via factory::remove_preset function
Severity: Low
Ecosystem: Aptos
Protocol: Magma DEX
Auditor: Three Sigma
Report: https://cdn.sanity.io/files/qoqld077/staging/9566473c444a6cfd99c7a6556fa4857950b41de3.pdf
Report Date: July 2025
Description:
When set bin status to either opened or closed we emit EventOpenBinStepPreset event for the bin information and its new status. The main function used to close bins is factory::close_bin_step_preset, which already emit this event when closing. There is another execution which will lead to closing of the bin where in case of removing the Present totally and the bin is opened we close it. but in that case we are not emiting EventOpenBinStepPreset event for that bined to be closed.