Low Findings
Token ID Collision Allows State Corruption
Severity: Low
Ecosystem: IOTA Mainnet
Protocol: Echo Protocol Bridge
Auditor: Hacken
Report: https://hacken.io/audits/echo-protocol/sca-echo-protocol-bridge-iota-jul2025/
Report Date: Aug 2025
Description:
The add_new_token function lacks a validation to ensure that a new token_id is unique before it's assigned to a token. An administrator could inadvertently (or maliciously) assign an already-used token_id to a new token. This would overwrite the entry in the id_token_type_map, causing the contract's state to become inconsistent. As a result, the previously registered token becomes "orphaned" and unmanageable through ID-based functions, while functions relying on this mapping for validation will behave incorrectly.
Denial of Service via Hash Collision
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Core
Auditor: Certora
Report: https://github.com/aave/aptos-aave-v3/blob/main/audits/Ottersec Aave Aptos V3.1-V3.3 Report.pdf
Report Date: Apr 2025
Description:
The SmartTable is vulnerable to a hash denial-of-service attack, where malicious users may overload a specific bucket, creating aborts and denying access to legitimate users with colliding keys.
Token Name Collision
Severity: Low
Ecosystem: Aptos, Initia, and Movement
Protocol: Echelon Market
Auditor: Quantstamp
Report Date: Mar 2025
Code: N/A
Description:
The two functions new_reward<RewardCoin> and new_reward_fa are used to register different tokens for reward payments. Under the hood, both of these functions call new_reward_for_farming_internal with the asset name. However, this can be problematic in the case of a name collision between an FA and a coin.
Possible Object Account Address Collision
Severity: Low
Ecosystem: Aptos, Initia, and Movement
Protocol: Echelon Market
Auditor: Quantstamp
Report Date: Mar 2025
Code: N/A
Description:
Different object accounts, such as JumpInterestRateModel, MarketLiquidationThreshold, MarketLiquidationIncentive, MarketLiquidationPauseFlag, CoinInfo, and FungibleAssetInfo, in various places are moved to global storage with the same market_signer object identifier. However, objects should be isolated to different accounts; otherwise, modifications to one object within an account can influence the entire collection.