Low Findings
Reference Pool Manipulation
Severity: Low
Ecosystem: Sui
Protocol: Mysten Deepbook
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Aug 2024
Description: add_deep_price_point relies on a reference pool to obtain a mid_price, which is then used to update the deep price of a target pool. A potential vulnerability arises if the reference pool is unregistered or has an empty order book, allowing malicious actors to manipulate the mid_price. This manipulation could lead to the addition of incorrect deep price points to the target pool, significantly overvaluing or undervaluing the deep price. Such a situation could negatively impact traders and compromise the integrity of the pool.
No Reentrancy Guard on Swap
Severity: Low
Ecosystem: Sui
Protocol: Bluefin Spot
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Nov 2024
Description:
In pool, there is a lack of a reentrancy guard during flash swap operations, allowing potential reentrant calls to be made via other functions, which might result in the manipulation of the pool values.
Inconsistency in Maintaining One-to-One Peg
Severity: Low
Ecosystem: Aptos
Protocol: Thala LSD
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
The 1:1 peg between thAPT and staked APT may break due to the unrestricted burning burn_from_thapt, and while reconcile may mint thAPT to restore the peg, it also enables arbitrary supply manipulation.
Payouts round down
Severity: Low
Ecosystem: Aptos
Protocol: Tortuga Liquid Staking
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Tortuga Liquid Staking - Zellic Audit Report.pdf
Report Date: Oct 2022
Description:
It is possible to perform an economically impractical, griefing-style attack that abuses the rounding down behavior of mul_div in disperse_all_payouts to ensure only those with a relatively high number of shares can receive a payout:

If the reserve_balance is low enough, delegators with few shares would receive zero payout while delegators with many shares would receive some. Dust is refunded to the reserve at the end of disperse_all_payouts, meaning repeated, quick calls to disperse_all_payouts would result in only high-value delegators getting payouts. Impact Malicious, high-value delegators (i.e., those with many shares) could cause lowervalue delegators to not receive any payouts.