Low Findings
Unchecked Read in peel_u64_be Leads to Transaction Abort and Denial of Service
Severity: Low
Ecosystem: IOTA Mainnet
Protocol: Echo Protocol Bridge
Auditor: Hacken
Report: https://hacken.io/audits/echo-protocol/sca-echo-protocol-bridge-iota-jul2025/
Report Date: Aug 2025
Description:
The peel_u64_be function unconditionally attempts to read 8 bytes from the provided byte stream without first verifying that 8 bytes are available. A malicious actor can craft and submit a message with a truncated payload, causing the function to attempt a read past the buffer's end. This triggers a transaction abort, which can be exploited to create a Denial-of-Service (DoS) attack, preventing any valid messages of that type from being processed by the bridge.
The vulnerability lies in the implementation of peel_u64_be in message.move. The function contains a while loop that is hardcoded to execute exactly eight times to read eight bytes, but it does so without any bounds checking.
skew_factor Initialization to Zero Can Lead to Denial of Service
Severity: Low
Ecosystem: Supra
Protocol: Dexlyn Perp DEX
Auditor: Hacken
Report: https://hacken.io/audits/dexlyn/sca-dexlyn-perp-dex-jul2025/
Report Date: Sep 2025
Description:
Based on the funding fee formula provided in the documentation (Funding Rate = ... + (Market skew / Skew Factor) * ...), the calculate_funding_rate function will perform a division using skew_factor. Since the value is 0, this will trigger an arithmetic exception and revert the transaction.
Multiplication Overflow DOS
Severity: Low
Ecosystem: Aptos
Protocol: PancakeSwap IFO
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2022
Description:
In compute_release_amount, the vested_amount calculation involves multiplying together the total amount to be vested by the vested seconds.
For large quantities of tokens vested over a long period of time, this calculation might abort, causing the contract to abort. Note that this is recoverable once the tokens have fully vested. A similar issue can be found in harvest_pool when calculating the initial vesting percentages. This will only be an issue if a user attempts to vest more than u64:MAX / 100 tokens.
Forced Eviction Of Legit Orders
Severity: Low
Ecosystem: Aptos
Protocol: Econia
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2022
Description:
AVL queue evicts orders when the tree exceeds a CRITICAL_HEIGHT or, when the number of active nodes becomes equal to N_NODES_MAX, to prevent excessive gas costs for insertion and deletion. In theory, due to the limited orderbook capacity, an attacker can place enough orders to evict legitimate orders and then cancel these placed orders.
Pyth Deployment DOS
Severity: Low
Ecosystem: Aptos
Protocol: Pyth
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
Similar to the issue we found in Wormhole, during initialization of the pyth module, it attempts to register an AptosCoin account in order to be able to receive fees:
However, coin::register is a one-time operation. If coin::register has previously been called on this address, this initialization code will abort and the wormhole program will be unable to initialize. While it is usually not possible to register coins for users you can not sign for, the Aptos framework provides a special mechanism to register AptosCoin for any user via aptos_account::create_account:
Therefore, with this mechanism an attacker could register AptosCoin for the wormhole program before deployment in order to prevent it from properly initializing.
Wormhole Deployment DOS
Severity: Low
Ecosystem: Aptos
Protocol: Wormhole Aptos
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
During initialization of the wormhole module, it attempts to register an AptosCoin account in order to be able to receive fees:
However, coin::register is a one-time operation. If coin::register has previously been called on this address, this initialization code will abort and the wormhole program will be unable to initialize. While it is usually not possible to register coins for users you can not sign for, the Aptos framework provides a special mechanism to register AptosCoin for any user via aptos_account::create_account:
Therefore, with this mechanism an attacker could register AptosCoin for the wormhole program before deployment in order to prevent it from properly initializing.
Potential Denial of Service Risk of DAP Module
Severity: Low
Ecosystem: Aptos
Protocol: Yeap Finance
Auditor: SlowMist
Report Date: July 2025
Description:
In yeap_oracle, the DAP module is primarily responsible for asset price routing, constructing a directed acyclic graph (DAG) to manage price conversion paths between different assets. However, operations within functions such as add_edge, get_common_ancestor, and get_paths all require traversing the entire path to detect cycles. This traversal has a time complexity of O(n). If the created paths become excessively long, it could lead to a Denial-ofService (DoS) risk.