High Findings
DXLP Ratio Manipulation and Denial of Service
Severity: High
Ecosystem: Supra
Protocol: Dexlyn Perp DEX
Auditor: Hacken
Report: https://hacken.io/audits/dexlyn/sca-dexlyn-perp-dex-jul2025/
Report Date: Sep 2025
Description:
The Dexlyn perpetual trading protocol contains a significant vulnerability in its House LP (DXLP) token system that allows attackers to manipulate the token ratio and extract value from legitimate users' deposits. This vulnerability combines ratio manipulation with a denial of service attack.
The vulnerability stems from two interconnected design flaws:
- No Minimum Deposit Protection: The
house_lp::depositfunction allows deposits as small as1 wei, enabling attackers to become the first depositor with minimal investment. - Unprotected Vault Inflation: The
pnl_deposit_to_lpfunction deposits trading losses into theHouseLPVaultwithout minting corresponding DXLP tokens, allowing vault inflation without supply increase.
Potential DoS Due to Improper Balance Splitting in the Liquidation
Severity: High
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
If the debt_to_burn exceeds the value of repay_balance (for example, when revenue_balance has a non-zero value), the balance::split operation will fail and cause a transaction panic. This renders the liquidation mechanism unusable under many normal conditions and may freeze funds involved in the liquidation.
NFT Token ID contains forbidden character by design which prevents any domain from being issued at all
Severity: High
Ecosystem: Initia
Protocol: Initia Move
Auditor: Code4Arena Contest Security Researchers
Report: https://code4rena.com/reports/2025-01-initia-move
Report Date: Apr 2025
Description:
The usernames module allows for registering a domain. This happens in function register_domain. On registration, a NFT is minted to the buyer, with field Token ID in format domain:timestamp. However the : character is forbidden by underlying nft.move module which is also the reason why original unit tests fail. Due to this, the protocol cannot be used in its current state, because no NFTs can be currently minted, thus, no domains can be claimed. Hence, this is equivalent to a permanent DoS.
Excessive rewards allocations leads to DoS
Severity: High
Ecosystem: Aptos
Protocol: PancakeSwap
Auditor: Zellic
Report Date: Nov 2022
Description:
Certain conditions may lead users having to save funds by calling emergnecy_withdraw, forfeiting their rewards.