Low Findings

Token ID Collision Allows State Corruption

Severity: Low

Ecosystem: IOTA Mainnet

Protocol: Echo Protocol Bridge

Auditor: Hacken

Report: https://hacken.io/audits/echo-protocol/sca-echo-protocol-bridge-iota-jul2025/

Report Date: Aug 2025

Description:

The add_new_token function lacks a  validation to ensure that a new token_id is unique before it's assigned to a token. An administrator could inadvertently (or maliciously) assign an already-used token_id to a new token. This would overwrite the entry in the id_token_type_map, causing the contract's state to become inconsistent. As a result, the previously registered token becomes "orphaned" and unmanageable through ID-based functions, while functions relying on this mapping for validation will behave incorrectly.

Denial of Service via Hash Collision

Severity: Low

Ecosystem: Aptos

Protocol: AAVE v3.0.2 Core

Auditor: Certora

Report: https://github.com/aave/aptos-aave-v3/blob/main/audits/Ottersec Aave Aptos V3.1-V3.3 Report.pdf

Report Date: Apr 2025

Description:

The SmartTable is vulnerable to a hash denial-of-service attack, where malicious users may overload a specific bucket, creating aborts and denying access to legitimate users with colliding keys.

Token Name Collision

Severity: Low

Ecosystem: Aptos, Initia, and Movement

Protocol: Echelon Market

Auditor: Quantstamp

Report: https://certificate.quantstamp.com/full/echelon-market/9ee15c30-6a0f-4a70-b5ce-63b8a887bd4e/index.html

Report Date: Mar 2025

Code: N/A

Description:

The two functions new_reward<RewardCoin> and new_reward_fa are used to register different tokens for reward payments. Under the hood, both of these functions call new_reward_for_farming_internal with the asset name. However, this can be problematic in the case of a name collision between an FA and a coin.

Possible Object Account Address Collision

Severity: Low

Ecosystem: Aptos, Initia, and Movement

Protocol: Echelon Market

Auditor: Quantstamp

Report: https://certificate.quantstamp.com/full/echelon-market/9ee15c30-6a0f-4a70-b5ce-63b8a887bd4e/index.html

Report Date: Mar 2025

Code: N/A

Description:

Different object accounts, such as JumpInterestRateModelMarketLiquidationThresholdMarketLiquidationIncentiveMarketLiquidationPauseFlagCoinInfo, and FungibleAssetInfo, in various places are moved to global storage with the same market_signer object identifier. However, objects should be isolated to different accounts; otherwise, modifications to one object within an account can influence the entire collection.