Low Findings
Magic number in MAX_BOND_UNBOND_AT constant
Severity: Low
Ecosystem: Sui
Protocol: Momentum
Auditor: Sherlock
Report Date: Nov 2025
Description:
The MAX_BOND_UNBOND_AT is set to 0xffff_ffff_ffff_ffff (u64 max) but this magic number isn't documented. Future developers might not understand its significance.
Excessive Validation Limits in GlobalConfig
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: Asymptotic
Report Date: Aug 2025
Description:
The global config module contains unreasonably high validation limits in the enable fee rate function: • fee rate limit allows up to 99.9999%, which is excessive and could enable abusive fee settings. • tick spacing limit allows up to 4,194,304, far beyond practical needs and could impact pool efficiency and gas costs. Additionally, the initial configuration and validation limits are hardcoded. Using literals directly in code instead of named constants makes maintenance harder and increases the risk of errors or inconsistencies.
Ambiguous Boundary Definition for active_id
Severity: Low
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: MoveBit
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Sep 2025
Description:
The active_id boundary check in create_pool_internal lacks clear design specification. Uses strict inequalities (gt/lt) excluding boundary values ±443636, but design intent is unclear - should boundaries be valid or invalid?
Minimum CToken Bounds
Severity: Low
Ecosystem: Sui
Protocol: Suilend
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2024
Description: The MIN_AVAILABLE_AMOUNT constant in reserve acts as a threshold to thwart specific rounding bug attacks by ensuring that a minimum amount of the underlying token may not be withdrawn or borrowed. However, this constant should also cover ctoken_supply, which is used to critically reinitialize the ctoken ratio.
Unused Module
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
dl_list_table module is not used.
Unused Return Value
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
The function position::increase_liquidity has a return value of type u128, but it is not used.
Unused Function
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
The method borrow_mut_tick_for_swap exists but is not used anywhere in the entire contract. It is also public, which poses a security risk.
Irregularity in Fee Comment Annotation
Severity: Low
Ecosystem: Aptos
Protocol: Echleon
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
DEFAULT_ORIGINATION_FEE_BPS value (10) is mislabeled as 0.01% in the comment, though it actually represents 0.10%.
Inaccurate MAX_MSAFE_OWNERS_LIMIT
Severity: Low
Ecosystem: Aptos
Protocol: MSafe MVP Program
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2023
Description:
An additional nonce key is added in derive_multisig_auth_key. This means that the actual MAX_MSAFE_OWNERS_LIMIT should be one less than the Aptos enforced maximum of 32, or a total of 31.
Unused Constants Should Be Removed
Severity: Low
Ecosystem: Aptos
Protocol: StreamFlow
Auditor: MoveBit
Report: https://movebit.xyz/reports/StreamFlow2-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
There are unused constants that may be removed.
verify_platform Uses A Magic Number
Severity: Low
Ecosystem: Aptos
Protocol: Superposition
Auditor: MoveBit
Report: https://movebit.xyz/reports/Superposition-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
In the verify_platform function, it checks that if the p.body.platform == 1 which means that if it's on Aptos. However, using a magic number is confusing and not easy to modify in the future.