Critical Findings

Hardcoded Token Type Mismatches with Generic Parameter May Lead to Asset Loss

Severity: Critical

Ecosystem: Sui

Protocol: Creek Finance

Auditor: MoveBit

Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf

Report Date: Dec 2025

Description: The function repay is defined as a generic function repay, intended to handle repayments for any type of asset. However, the type of its parameter user_coin is hardcoded as Coin<COIN_GUSD>, and the call to coin::split within the function body also uses the hardcoded COIN_GUSD type. This creates a severe conflict between the declared generic capability of the function and its actual implementation. When attempting to call this function with any asset type T other than COIN_GUSD, type_name::get() correctly retrieves the type of T for debt queries, but subsequently processes Coin objects of type COIN_GUSD. This will potentialy cause asset loss due to type mismatches when calling market::handle_repay, rendering the function unusable for multiple assets as intended.

Faulty Constant Definition

Severity: Critical

Ecosystem: Sui

Protocol: Bluefin Spot

Auditor: OtterSec

Report: https://www.notion.so/a296e98838aa4fdb8f3b192663400772

Report Date: Nov 2024

Description:

The MAX_u64 constant is incorrectly defined as 0xFFFFFFFFFFFFFFF (15 characters) instead of 0xFFFFFFFFFFFFFFFF (16 characters). This omission causes errors in tick calculations by ignoring the most significant bit.

DefaultBidPercentage Misconfiguration

Severity: Critical

Ecosystem: Sui

Protocol: MoviePass Exchange

Auditor: Certora

Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/03_02_2025_MoviePass_MSX-MR.pdf

Report Date: Feb 2025

Description:

The DefaultBidPercentage constant is incorrectly set to 10_000 instead of 1_000_000, causing the maximum bid rate to be misconfigured and potentially allowing unexpected bid behaviors.