Low Findings

Front-Running Vulnerability in Liquidity Management

Severity: Low

Ecosystem: Sui

Protocol: Full Sail CLMM

Auditor: Asymptotic

Report: https://info.asymptotic.tech/full-sail-clmm-audit

Report Date: May 2025

Description:

The remove_liquidity function in the pool module lacks slippage protection mechanisms, making users vulnerable to front-running attacks that can result in substantial financial losses. Unlike add_liquidity which provides a two-step process allowing users to review amounts before committing, remove_liquidity executes immediately without any user-controlled protection parameters.

Attack Strategy: • Find large positions (>5% of pool liquidity) • Manipulate price to push victim's position out of range • Victim removes large liquidity, reducing pool depth • Exploit reduced liquidity for cheaper price restoration • Profit from asymmetric price impact before/after liquidity removal

The seed for minting does not update

Severity: Low

Ecosystem: Sui

Protocol: MystenLabs Sui

Auditor: OtterSec

Report: 

https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: May 2023

Description: This field should update after every mint with a new value.