Low Findings

Reference Pool Manipulation

Severity: Low

Ecosystem: Sui

Protocol: Mysten Deepbook

Auditor: OtterSec

Report: 

https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Aug 2024

Description: add_deep_price_point relies on a reference pool to obtain a mid_price, which is then used to update the deep price of a target pool. A potential vulnerability arises if the reference pool is unregistered or has an empty order book, allowing malicious actors to manipulate the mid_price. This manipulation could lead to the addition of incorrect deep price points to the target pool, significantly overvaluing or undervaluing the deep price. Such a situation could negatively impact traders and compromise the integrity of the pool.

No Reentrancy Guard on Swap

Severity: Low

Ecosystem: Sui

Protocol: Bluefin Spot

Auditor: OtterSec

Report: 

https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Nov 2024

Description:

In pool, there is a lack of a reentrancy guard during flash swap operations, allowing potential reentrant calls to be made via other functions, which might result in the manipulation of the pool values.

Inconsistency in Maintaining One-to-One Peg

Severity: Low

Ecosystem: Aptos

Protocol: Thala LSD

Auditor: OtterSec

Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Feb 2025

Description:

The 1:1 peg between thAPT and staked APT may break due to the unrestricted burning burn_from_thapt, and while reconcile may mint thAPT to restore the peg, it also enables arbitrary supply manipulation.

Payouts round down

Severity: Low

Ecosystem: Aptos

Protocol: Tortuga Liquid Staking

Auditor: Zellic

Report: https://github.com/Zellic/publications/blob/master/Tortuga Liquid Staking - Zellic Audit Report.pdf

Report Date: Oct 2022

Description:

It is possible to perform an economically impractical, griefing-style attack that abuses the rounding down behavior of mul_div in disperse_all_payouts to ensure only those with a relatively high number of shares can receive a payout:

image.png

If the reserve_balance is low enough, delegators with few shares would receive zero payout while delegators with many shares would receive some. Dust is refunded to the reserve at the end of disperse_all_payouts, meaning repeated, quick calls to disperse_all_payouts would result in only high-value delegators getting payouts. Impact Malicious, high-value delegators (i.e., those with many shares) could cause lowervalue delegators to not receive any payouts.