Medium Findings
Missing Reward Release Update When Breaking from Settlement Loop
Severity: Medium
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: MoveBit
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Sep 2025
Description:
In the settle_rewards function, when the condition if (current_time < next_settle_at) is met, the function breaks from the inner loop without updating reward.reward_released with the accumulated reward. This leads to potential reward loss and state inconsistency.
Incomplete Handling of Staked Liquidity in Fullsail Distribution
Severity: Medium
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The pool maintains fullsail_distribution_staked_liquidity separately from total liquidity, creating a risk of desynchronization. Liquidity updates in the pool and staked liquidity changes are decoupled, allowing inconsistencies to arise between staking status and the underlying liquidity.
Inconsistent Balance Management in RewarderGlobalVault
Severity: Medium
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The RewarderGlobalVault maintains two separate balance tracking mechanisms: coin balances in a bag and logical balances in an available_balance table. The function emergent_withdraw bypasses the available_balance accounting by directly withdrawing from the coin balance, which will lead to reward collection failures for users.
TakeRevenueEvent May Not Match The Actual Transferred Amount
Severity: Medium
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
In the take_revenue logic, there is an inconsistency between the emitted event amount and the actual amount of tokens transferred.
Attacker Can Desynchronize Supply Snapshot During Same-Block Unstake, Reducing Everyone’s Rewards
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
An attacker holding Cabal LSTs (like sxINIT) can monitor the mempool for the manager’s voting_reward::snapshot() transaction. By submitting his own cabal::initiate_unstake transaction to execute in the same block (H) as the manager’s snapshot, the attacker can use two flaws: cabal_token::burn (called by their unstake) doesn’t update the supply snapshot for block H, leaving the recorded supply artificially high (pre-burn). cabal_token::check_snapshot skips recording the attacker’s own balance for block H. Later reward calculations use the stale high supply but retrieve the attacker’s now lower (post-burn) balance via fallback logic. This desynchronization causes the total calculated reward shares to be less than 100%, reducing the rewards paid out to all users for that cycle.
LP Redelegation Uses Inaccurate Internal Tracker Amount, Leading to Potential Failures or Orphaned Funds
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
The redelegate_lp function, called during validator changes for LP pools, uses the internal pool.amount tracker to specify the amount for MsgBeginRedelegate. This tracker can diverge from the actual staked amount due to unreflected rewards or slashing, potentially causing redelegation failures or leaving funds staked with the old validator.
Desynchronization of Cabal’s internal accounting with actual staked INIT amounts leads to over-minting of sxINIT tokens
Severity: Medium
Ecosystem: Initia
Protocol: Cabal Liquid Staking
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-04-cabal-liquid-staking-token
Report Date: May 2025
Description:
The Cabal Protocol’s implementation of compound_xinit_pool_rewards fails to synchronize the protocol’s internal accounting (m_store.staked_amounts) with the actual amount of INIT tokens staked in the underlying Initia staking system. This creates a vulnerability where external events like slashing penalties or validator-initiated actions that reduce the staked amount are not reflected in Cabal’s internal state.
Loss of funds due to address mappings are not cleaned up after domain expiry
Severity: Medium
Ecosystem: Initia
Protocol: Initia Move
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-01-initia-move
Report Date: Apr 2025
Description:
The register_domain function doesn’t properly clean up old mappings (name_to_addr and addr_to_name) when a new user registers an expired domain. While it removes the old name_to_token mapping, it leaves the previous user’s address mappings.
Update magnified_dividends_per_share Values When staked_tokens Reaches Zero
Severity: Medium
Ecosystem: Aptos
Protocol: Baptswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/BAPTSWAP-Final-Audit-Report.pdf
Report Date: Dec 2023
Description:
When pool_info.staked_tokens reaches zero,the protocol fails to update pool_info.magnified_dividends_per_share_x and pool_info.magnified_dividends_per_share_y . This inconsistency results in a mismatch between the current state of pool_info and its initialized state.
Incorrect metadata used for deposit_stkapt function
Severity: Medium
Ecosystem: Aptos
Protocol: KoFi Finance
Auditor: MoveJay
Report: https://github.com/KofiFinance/audits/blob/main/Kofi%20Finance%20-%20Zenith%20Audit%20Report.pdf Report Date: Mar 2025
Description:
In the deposit_stkapt function, the code incorrectly uses kAPT_coin::metadata() instead of stkAPT_coin::metadata() when creating/accessing the fungible store for stkAPT tokens. This mismatch between token type and metadata will cause deposits to fail. The function is supposed to deposit stkAPT tokens but is using kAPT metadata to identify the store.