Low Findings
Missing Zero-address Validation for reward_address Before Transferring
Severity: Low
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
In several admin withdrawal functions, including: take_revenue, take_borrow_fee, and take_staking_fee. The code transfers fee/revenue tokens directly to admin_cap.reward_address without verifying that it is a valid (non-zero) address.
Missing Zero-amount Checks in Fund-handling Functions
Severity: Low
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
Several functions related to fund operations—such as deposit_collateral , withdraw_collateral , borrow_flash_loan , repay_flash_loan , liquidate accept an amount parameter as input but do not verify that the value is greater than zero.
Missing Zero-amount Checks in redeem_gusd
Severity: Low
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
In redeem_gusd , the GUSD amount is converted to USDC. Currently, only amount_gusd > 0 is checked. For small amount_gusd (<1000), amount_usdc_before_fee becomes 0, but there is no check to prevent zero-value USDC.
Missing Debt Check Before Repayment
Severity: Low
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
The repay function does not verify that the user has a positive outstanding debt before proceeding.
Missing Validation Checks in Allocation Deserialization
Severity: Low
Ecosystem: Sui
Protocol: Magna Airlock
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Magna Airlock - Zellic Audit Report.pdf
Report Date: Nov 2025
Description:
The deserialize_allocation() function performs BCS deserialization of allocation data without validating the integrity of the deserialized values. This creates multiple denial-of-service vectors that will manifest at withdrawal time rather than at merkle root creation time.
Missing validations:
- Calendar schedule: No check that unlock_timestamps and unlock_amounts arrays have equal length
- Interval schedule: No check that period_length > 0 or number_of_periods > 0
- Amount consistency: No check that allocation.amount matches sum of unlock amounts or piece amounts
- Array bounds: No maximum size limits on timestamps/amounts/pieces vectors
Missing Validation For Token Decimals
Severity: Low
Ecosystem: IOTA Mainnet
Protocol: Pools Finance
Auditor: Hacken
Report: https://hacken.io/audits/pools-finance/sca-pools-finance-pools-contracts-may2025/
Report Date: June 2025
Description:
The register_pool function in the stake.move module allows users to register a new staking pool by providing the stake and reward tokens along with their corresponding decimal values. These decimal values are used to compute a scale factor for accurately calculating accumulated rewards.
Lack of Zero-Value Validation in update_route_limit() Allows Setting Invalid Rate Limits
Severity: Low
Ecosystem: IOTA Mainnet
Protocol: Echo Protocol Bridge
Auditor: Hacken
Report: https://hacken.io/audits/echo-protocol/sca-echo-protocol-bridge-iota-jul2025/
Report Date: Aug 2025
Description:
The bridge module enables bridging assets from an EVM to IOTA. To prevent abuse, it enforces a per-route hourly transfer rate limit. If a transfer exceeds this limit, it is rejected, and a TokenTransferLimitExceed event is emitted.
Smokescreen/log flooding on deposit
Severity: Low
Ecosystem: Sui
Protocol: Bluefin RFQ
Auditor: Asymptotic
Report: https://bluefin.io/blog/doc/bluefin_rfq_audit.pdf
Report Date: Feb 2025
Description:
There is no privilege check and no minimum amount for depositing, so an attacker could induce a very large number of Deposit events cheaply.
set_manager should also have a zero-address check
Severity: Low
Ecosystem: Sui
Protocol: Bluefin RFQ
Auditor: Asymptotic
Report: https://bluefin.io/blog/doc/bluefin_rfq_audit.pdf
Report Date: Feb 2025
Description:
create_rfq_vault check that the manager is not set to the zero address: assert!(manager != @0, EZeroAddress);
set_manager should also have this check.
Missing Withdrawal Time Validation
Severity: Low
Ecosystem: Sui
Protocol: SatLayer Sui
Auditor: Asymptotic
Report: https://info.asymptotic.tech/satlayer-audit
Report Date: Mar 2025
Description:
The withdrawal_time parameter, which defines the cooldown period between a withdrawal request and the actual withdrawal execution, lacks proper validation in both initialize_vault and update_withdrawal_time functions. Without appropriate bounds checking, the cooldown period could potentially be set to an unreasonably high value, effectively preventing users from accessing their funds for extended periods. Additionally, setting a zero cooldown period would make the two withdrawal functions call redundant, so consider to forbid zero cooldown as well.
Insufficient Fee Validation in Position Orders
Severity: Low
Ecosystem: Sui
Protocol: ZO Perps(Sudo)
Auditor: Asymptotic
Report: https://info.asymptotic.tech/sudo-audit-report
Report Date: Mar 2025
Description:
The open_position and decrease_position functions accept fee coins as payment for order execution. While this fee is intended to incentivize executors to process orders, there are no validation checks to ensure the fee is sufficient or even non-zero. This creates a risk where orders with inadequate fees may remain permanently unexecuted in the orders list, as executors would have no economic incentive to process them if the fee is below their operational costs.
Missing Zero Value Check in decrease_reserved_from_position
Severity: Low
Ecosystem: Sui
Protocol: ZO Perps(Sudo)
Auditor: Asymptotic
Report: https://info.asymptotic.tech/sudo-audit-report
Report Date: Mar 2025
Description:
The decrease_reserved_from_position function does not validate that the decrease_amount parameter is non-zero.
Missing Position Validation in Pool Module Functions
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The protocol implements the validate_pool_position function specifically to ensure a position belongs to the pool it's interacting with, but this validation is applied for add_liquidity_* functions only.
Version Validation in update_package_version
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The update_package_version function in the config module allows setting any value, including older or identical versions. This can lead to unintended downgrades or redundant updates, potentially causing compatibility or versioning issues.
Additionally, the lack of a public getter for package_version makes it difficult to verify the current version for external callers or before performing updates.
Missing Parameter Checks
Severity: Low
Ecosystem: Sui
Protocol: Momentum
Auditor: MoveBit
Report Date: Nov 2025
Description:
During operations such as merge and extend in user_v1.move, it is advisable to add checks for the validity of user-input parameters. This prevents users from unnecessarily consuming gas due to incorrect parameters. extend() No validation that new_unbond_at is greater than old_unbond_at . merge() No validation that only one VeToken is staked between primary and merged.
Missing Input Validations in Swap Simulation Functions
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: Asymptotic
Report Date: Aug 2025
Description:
The compute swap result and get optimal swap amount for single sided liquidity functions do not check that pool::sqrt price(pool) != 0 or that sqrt price limit is within valid min/max and current price bounds. As a result, these functions may abort unexpectedly or return incorrect results if called with invalid inputs. Additionally, get optimal swap amount for single sided liquidity does not verify that the provided position actually belongs to the specified pool.
Missing Input Validation and Code Duplication in Liquidity Math
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: Asymptotic
Report Date: Aug 2025
Description:
The liquidity math module functions get liquidity for amounts and get amounts for liquidity do not validate that sqrt price lower ¡ sqrt price upper, which can result in incorrect calculations. Additionally, liquidity math::get amount x for liquidity and liquidity math::get amount y for liquidity contain identical logic to sqrt price math::get amount x delta and sqrt price math::get amount y delta respectively. The liquidity math versions are never called in the codebase.
Missing Pool Token Type Check
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: MoveBit
Report Date: Nov 2025
Description:
When creating a pool, the token type is not checked, which allows pools with the same token type to be created.
Missing Validation and Performance Optimization in add group if absent
Severity: Low
Ecosystem: Sui
Protocol: Cetus CLMM
Auditor: Asymptotic
Report: https://drive.google.com/drive/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Nov 2025
Description:
The function add group if absent accepts group index without validation and can create bins with IDs outside the valid range. The public wrapper in the pool module exposes this to external callers without additional checks. Additionally, for each new group, the function creates 16 bins by calling default bin → get price from id → pow(base, bin id) sixteen times. This performs 16 expensive exponential calculations.
No Bounds Validation in set min reward duration
Severity: Low
Ecosystem: Sui
Protocol: Cetus CLMM
Auditor: Asymptotic
Report: https://drive.google.com/drive/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Nov 2025
Description:
The function set min reward duration in the config module accepts any u64 value without validation. When min reward duration is set to a value near max u64, subsequent calls to add reward will abort as there is no such end time to calculate duration ≥ min reward duration. There is also no upper bound on reward duration in add reward, allowing managers to create reward periods spanning decades or centuries. This effectively locks reward tokens for impractically long periods, reducing capital efficiency and creating zombie rewards that will never realistically complete their emission schedule.
Missing Input Validation in bin id from score
Severity: Low
Ecosystem: Sui
Protocol: Cetus CLMM
Auditor: Asymptotic
Report: https://drive.google.com/drive/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Nov 2025
Description:
The public function bin id from score converts a score to a bin ID without validating the input, creating an asymmetry with its inverse function bin score which enforces strict validation.
Inconsistent Validation in pool::add reward
Severity: Low
Ecosystem: Sui
Protocol: Cetus CLMM
Auditor: Asymptotic
Report: https://drive.google.com/drive/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Nov 2025
Description:
The pool::add reward function is responsible for adding rewards to the pool, but it exhibits several inconsistencies. Managers (reward manager role) can bypass critical validations that non-managers must follow. This could lead to inconsistencies if manager actions deviate from expected standards. Start time validations differ between pool and reward manager levels, causing uncertainty about the correct requirements. Neither pool::add reward nor reward::add reward validates that the reward amount is greater than zero
Missing Validation for Length Consistency of bins amounts_a and amounts_b in add_liquidity
Severity: Low
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: MoveBit
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Sep 2025
Description:
In the pool.move file, the add_liquidity function takes three vector parameters: bins, amounts_a, and amounts_b, and uses them within a loop. Unlike the open_position function, the add_liquidity function does not validate whether the lengths of these three vectors are consistent. The open_position function includes an explicit check.
Insert Range Check In Utils
Severity: Low
Ecosystem: Sui
Protocol: Maven
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2023
Description:
In utils.move, vector_slice should return the subslice of the vector, starting at the start index and ending at the end index. However, there is no check to ensure that end is higher than start; in this case, the function returns an empty vector.
Incorrect checks result in the absence of verification of the invariant
Severity: Low
Ecosystem: Sui
Protocol: MystenLabs Sui
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description: In voting_power.move, check_invariants checks the enforcement of invariants after setting the voting power. However, the first if statement compares stake_i with itself instead of stake_j, not checking the invariant.
Insufficient checks for the order of genes
Severity: Low
Ecosystem: Sui
Protocol: MystenLabs Sui
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description: definitions_from_bcs should ensure the correct order of genes. Otherwise, if definitions are set in an incorrect order, receiving parts of the value becomes impossible.
Erroneous checks allow the user to create an invalid discount code
Severity: Low
Ecosystem: Sui
Protocol: MystenLabs Sui
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
In remove_later::deserialize_discount_code, the current validation for the discount code rate during deserialization is incorrect, as it only checks if the rate is greater than zero or less than three characters. The intended validation should verify that the rate is greater than zero and less than three characters.
Lack of validation in setting and retrieving default domain names
Severity: Low
Ecosystem: Sui
Protocol: MystenLabs Sui
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
In registry.move, set_default_domain_name sets the value of the new default_domain_name, however, several checks are missing.
- The function does not check if new_default_domain_name exists or if the sender is its owner.
- The function only permits modifying the default domain name setting for subdomains of addr.reverse, leaving the field empty for all other domains.
- The default domain name still points to the same domain if the owner changes.
- The default domain name should not be accessible through any other public functions. However, registry::get_name_record_all_fields returns the default domain name without validation.
Prevent Zero Unstaking
Severity: Low
Ecosystem: Sui
Protocol: Aftermath LSD
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
When a user requests to unstake in order to exchange AFSUI for SUI, a PendingUnstakeRecord is stored in StakedSuiVaultStateV1::pending_unstake_records. During epoch_was_changed, process_pending_unstake_requests calculates the SUI amount from the AFSUI amount in the record based on the exchange rate. Due to the access to the dynamic field, field_request_counter increases, which raises the reward to be sent to the caller from the crank incentive pool. Therefore, allowing unstake for a zero amount causes the protocol to consume the crank incentive reward pool without generating any fees. This enables a malicious user to extend the crank process and exhaust the crank incentive pool.
Rebalance Security Checks
Severity: Low
Ecosystem: Sui
Protocol: Volo
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2023
Description:
native_pool::rebalance does not include calls to the assert_version and when_not_paused functions.
Inconsistencies In Object Creation
Severity: Low
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Description:
add_stop creates a Stop object with the duration parameter and appends it to the ride.stops vector. However, it lacks cross-checking against existing stops, specifically concerning values like stop_started or stop_ended. Without proper validation, there is a risk that these values might conflict with other stops, resulting in unintended consequences during fare calculation or ride management.
Inadvertent Locking Of Tokens In Incorrect Chain
Severity: Low
Ecosystem: Sui
Protocol: Sui Bridge
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2024
Description: target_chain could be one that doesn’t accept tokens, which can then be locked.
Payload Size Limitation
Severity: Low
Ecosystem: Sui
Protocol: Sui Bridge
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2024
Description: Payloads under 64 bytes cause an invalid target address msg, causing unclaimable tokens on Ethereum chain.
Signature Approval Flaw
Severity: Low
Ecosystem: Sui
Protocol: Sui Axelar(Gateway V2)
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2024
Description: The threshold represents the minimum combined weight required from validators to approve a message. Each validator in the signer set has an associated weight, which signifies its voting power or influence. Thus, in validate_signatures, if the threshold is set to zero, any number of signatures—regardless of the validators’ weights—will be sufficient for approval.
Minting of Zero LST
Severity: Low
Ecosystem: Sui
Protocol: Solend Liquid Staking
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
It is theoretically possible for sui_amount_to_lst_amount to return zero when the calculated lst_amount is a very small fraction due to the supply ratio. The function computes the LST amount by dividing total_lst_supply * sui_amount by total_sui_supply . If the sui_amount is very small compared to total_sui_supply , the result of the division may round down to zero. This is problematic because it implies that the user effectively receives no tokens in exchange for their staked assets.
Misalignment of Token Metadata
Severity: Low
Ecosystem: Sui
Protocol: Aftermath Market Making
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2025
Description:
The issue arises from incorrect parameter ordering when calling coin::create_currency within create_vault_cap . create_currency defines the expected order of parameters as [ symbol , name ]. However, create_vault_cap passes the name parameter in place of symbol and the symbol parameter instead of name. As a result, the shorthand symbol and full name are reversed during token creation. A mismatch in expected token metadata will create confusion among users and external programs interacting with the token affecting the operational integrity of the program.
Missing Validator Set Integrity Checks
Severity: Low
Ecosystem: Sui
Protocol: Lombard Sui
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
The current implementation of assert_and_configure_validator_set in Consortium lacks critical checks, which may allow invalid validator keys. The function does not check for duplicate validator public keys. There is no validation to ensure that the validator keys are correct and that each validator’s public key is exactly 65 bytes long.
Possible Zero Token Minted in mint_market_coin Function
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
If balance_sheet.cash + balance_sheet.debt is greater than balance_sheet.market _coin_supply and underlying_amount is relatively small, resulting in a mint_amount of 0. This can lead to a situation where the user deposits funds (underlying_balance), but no MarketCoin shares are minted, resulting in the user not receiving any shares for their deposit.
Lack of Range Checks for the create_risk_model_change
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
The function create_risk_model_change lacks reasonable range checks for collateral_factor, liquidation_factor, liquidation_penalty, and liquidation_discount. Even in a trusted role system, there still exists the possibility of inputting typos and creating the wrong risk_model for the markets.
Missing start_time Parameter Check
Severity: Low
Ecosystem: Sui
Protocol: Bucket Protocol
Auditor: MoveBit
Report Date: June 2023
Description:
In the vesting_lock module, the new function creates VestingLock and lacks the check of start_time. It is recommended to ensure that start_time is greater than or equal to the current time.
compute_weight May Be 0
Severity: Low
Ecosystem: Sui
Protocol: Bucket Protocol
Auditor: MoveBit
Report Date: June 2023
Description:
In the calculation of the compute_weight function, the value of stake_amount may be less than MAX_LOCK_TIME/lock_time, resulting in a return value of 0, and the user has no benefit.
remaining_redemption_amount May Not Be 0
Severity: Low
Ecosystem: Sui
Protocol: Bucket Protocol
Auditor: MoveBit
Report Date: June 2023
Description:
In the handle_redeem function, if the buck_input_amount can repay all the bottles, it may cause the remaining_redemption_amount to remain and not equal to 0. The restriction of the assert may be too strict, or add another judgment to determine whether all the bottles have been repaid.
Parameter Validation is Missing When Creating a PreSale
Severity: Low
Ecosystem: Sui
Protocol: TurboStar Smart Contract
Auditor: MoveBit
Report Date: May 2023
Description:
In the function create_presale(), there is a lack of validation for the parameters start_time and end_time . The start_time should be greater than or equal to the current time and less than the end_time . The functions increment_endtime() and increment_starttime() also have the same issue.
create_payoff_configs Parameter Verification
Severity: Low
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: May 2023
Description:
The parameter of create_payoff_configs does not limit the number in the vector must be greater than 0, if it is all empty, it may cause inaccurate calculation when activate_->calculate_max_loss_per_unit.
remove_bid Does Not Judge Whether the Address Exists
Severity: Low
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: May 2023
Description:
When the remove_bid function is called, it is not judged whether the address of the bidder exists, and an error will be reported if it does not exist.
Withdrawal and Repayment Lack of Validation for Zero Amounts
Severity: Low
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report Date: July 2023
Description:
When using the repay() function to repay debts, if the current user does not have any debt, the current logic saves tokens to the pool and then takes them out of the pool. We believe this operation is meaningless and can cause more gas losses. We recommend using an assert function to validate and block this transaction. Similarly, when using the withdraw () function, validation for whether the withdrawable amount is zero is missing.
Parameter Limit
Severity: Low
Ecosystem: Sui
Protocol: KriyaDEX
Auditor: MoveBit
Report Date: May 2023
Description:
The parameters scaleX and scaleY of the function create_pool may pose a risk if they are freely inputted by the user.
Lack of Validation for name and uri Parameters in execute_meta_info Function
Severity: Low
Ecosystem: Sui
Protocol: MSafe Maven
Auditor: MoveBit
Report Date: May 2023
Description:
When modifying the name and uri fields of the Maven struct, it is necessary to validate the name and uri parameters. The execute_meta_info function modifies the name and uri fields but does not perform validation.
Lack of Validation for Existing Whitelist Member
Severity: Low
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: May 2023
Description:
In the method add_investor, there is no check for the existence of the added address. This may lead to adding the same address repeatedly.
Unchecked Vector
Severity: Low
Ecosystem: Sui
Protocol: SuiPad
Auditor: MoveBit
Report Date: May 2023
Description:
When creating a campaign, did not check if scheduled_times and scheduled_rewards meet the following requirements, the vector lengths are equal, the sum of scheduled_rewards is 100, and scheduled_times increments. In vault.move L108, when scheduled_times is longer than the length of Bscheduled_rewards , the array vault.scheduled_rewards will report an error in the loop.
Unverified Amounts Being Set to 0
Severity: Low
Ecosystem: Sui
Protocol: Aries Market (Sui)
Auditor: MoveBit
Report Date: June 2023
Description:
It was observed that the deposit, withdraw, borrow, and repay functions did not include any validation to verify whether the amounts being processed were equal to zero. Even though transactions could still proceed when the amounts were zero, subsequent operations would be irrelevant.
Lack check the existence of resources
Severity: Low
Ecosystem: Sui
Protocol: Mini Miners
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mini-Miners-Contract-Audit.pdf
Report Date: Apr 2023
Description:
Did not judge whether item_id exists before deleting.
List Structure Design Flaws
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
The list is a data structure in the form of a linked list. The storage node uses the dynamic field in the Sui to store the node. The dynamic_field in the Sui can not have multiple key-value pairs with the same key. When the same key is inserted, an error will be reported. Although In this project will not have the same key, the list data structure itself should determine whether the key exists.
Time Parameter Check
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
The start_time created and updated by create_partner may be smaller than the current time, and should be greater than or equal to the current time.
Unchecked Liquidation Parameters
Severity: Low
Ecosystem: Aptos
Protocol: Echleon
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
The pair creation process lacks validation of critical risk parameter. Also, there is a lack of boundary checks on liquidation parameters during market creation, risking invalid market configurations that may disrupt liquidation behavior.
Insufficient Liquidation Incentive Check
Severity: Low
Ecosystem: Aptos
Protocol: Echleon
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
market_enter_efficiency_mode fails to check if a market’s liquidation incentive is higher than the efficiency mode’s, allowing markets with weaker liquidation incentives to enter.
Bypassing Minimum Lock Duration
Severity: Low
Ecosystem: Aptos
Protocol: Thala Swap
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2025
Description:
increase_lock_amount_and_duration allows users to bypass the minimum lock duration by initially creating a small lock and later increasing it significantly, potentially circumventing the intended vesting period.
Utilization of Empty Investor ID
Severity: Low
Ecosystem: Aptos
Protocol: Aptos Labs Securitize
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2024
Description:
register_investor lacks a check to prevent empty string IDs, which may result in significant logical errors in the contract.
Invalid Threshold range
Severity: Low
Ecosystem: Aptos
Protocol: MSafe MVP Program
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2023
Description:
The threshold represents the minimum number of signatures required for authenticating a transaction. The Aptos multisig implementation validates that the threshold is not zero.
Ambiguity In Withdrawal Frequency Checks
Severity: Low
Ecosystem: Aptos
Protocol: Steamflow
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Mar 2023
Description:
protocol::create only ensures that withdrawl_frequency is above 30 but does not validate that withdrawl_frequency is above the contract.period value, unlike update.
Missing Length Validation Assertions for Vector-Type Parameters in the process_cluster Function
Severity: Low
Ecosystem: Aptos
Protocol: Supra
Auditor: MoveBit
Report: https://movebit.xyz/reports/Supra-Smart-Contract-Audit-Report.pdf
Report Date: Sep 2023
Code Snippet: N/A
Description:
It is essential to ensure that the lengths of all Vector-type parameters are consistent within the process_cluster function; otherwise, it may result in an abort. However, there is a lack of assertions for validating the lengths of Vector-type parameters.
Unexpected Pool Status (Property 6 Not Hold)
Severity: Low
Ecosystem: Aptos
Protocol: Liquidswap
Auditor: MoveBit
Report: https://movebit.xyz/reports/Pontem-Liquidity-Swap-Formal-Verification-Audit-Report.pdf
Report Date: Apr 2024
Description:
The property 6 requires: Each step in the update_bin should correctly update the value of the bin and return the correct coin value/type. After minting, the pool.coin_x or pool.coin_y should rise. During the specification, we found the state of the pool.coin_x and pool.coin_y had been reassigned after the loop in the mint_bin function, and this reassign of the pool led to the violation of this property. These functions include: mint_bin, update_bin The reassigned pool shows the situation that, none of the coin_x and coin_y are increase after the mint.
Zero Fee Deposit for Small Amounts
Severity: Low
Ecosystem: Aptos
Protocol: Merkle Trade Smart Contract
Auditor: MoveBit
Report: https://movebit.xyz/reports/Merkle-Trade-Smart-Contract-Audit-Report.pdf
Report Date: July 2023
Description:
In the deposit() function, there is a possibility for users to deposit a very small amount that results in a fee of zero. This allows users to bypass paying any deposit fees. The function calculates the deposit fee based on the house_lp.deposit_fee percentage and the original amount deposited. If the amount is extremely small, the calculated fee may round down to zero. Consequently, the _amount variable will remain unchanged, and the user can deposit the entire amount without incurring any fee. This issue allows users to make deposits without paying the intended deposit fee, potentially leading to a loss of revenue for the system. The same issue for withdraw() function.
Check Sufficient lp Collectral
Severity: Low
Ecosystem: Aptos
Protocol: Merkle Trade Smart Contract
Auditor: MoveBit
Report: https://movebit.xyz/reports/Merkle-Trade-Smart-Contract-Audit-Report.pdf
Report Date: July 2023
Description:
It's a good practice to check that HouseLPVault has enough collateral to withdraw, otherwise, it will go deep down to the aptos_std::coin::extract to check the balance.
Deserialization Should Explicitly Check Data Length
Severity: Low
Ecosystem: Aptos
Protocol: Superposition
Auditor: MoveBit
Report: https://movebit.xyz/reports/Superposition-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
In the deserialization methods: read_u8, read_u16, read_u32, read_u64, read_u128, and read_u256... , they do not check the length of bytes before consuming the data.
If the input's length is not enough, it will cause the function to panic.
Fee Rates Should Be Hard Capped Under 100%
Severity: Low
Ecosystem: Aptos
Protocol: Superposition
Auditor: MoveBit
Report: https://movebit.xyz/reports/Superposition-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
In tenant.move , set_liquidation_fee_rate , set_interest_rate_fee_rate , set_stability_fee_rate can set arbitrary fee rates without limitation. If any of the fee rate is over 100%, then it'd become the total loss of the funds.
Lack check of parameter
Severity: Low
Ecosystem: Aptos
Protocol: PatronusFi
Auditor: MoveBit
Report Date: Mar 2023
Description:
There is no limit to the amount greater than 0, and there is no judgment that the balance of wcoin is greater than the parameter amount passed in.
Vault may already exist
Severity: Low
Ecosystem: Aptos
Protocol: PatronusFi
Auditor: MoveBit
Report Date: Mar 2023
Description:
When creating a vault, create_vault does not judge whether the vault under the bank address exists, or judges whether the token has been registered in wcoin::create.
There is no assert in the function to verify whether the amount is greater than 0
Severity: Low
Ecosystem: Aptos
Protocol: Aries Market(Aptos)
Auditor: MoveBit
Report Date: Feb 2023
Description:
It is not verified whether the amount is 0 before recharging. According to the code logic, it will be verified when the function profile::repay_profile is executed, which undoubtedly consumes excess Gas.
Lack of the check for coin amount
Severity: Low
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
According to the parameters of the deposit function, the result of the share mint to the user in the calculation may be 0. When minting tokens, tokens with a value of 0 should not be minted.
TinyCoin has no check value upper limit
Severity: Low
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
After the swap, there may be a situation where the value of TinyCoin is relatively large, which is not tiny enough, so causing some losses to users.
Tokens might not be registered
Severity: Low
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
In the kill function of the liquidswap_worker module, there is no check in advance on whether to register the BaseCoin token.
Invalid end_time argument of partner::create_partner may cause partner::get_ref_fee_rate to return incorrect fee rate
Severity: Low
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol(Aptos)
Auditor: MoveBit
Report Date: Jan 2023
Description:
partner::create_partner doesn't check whether the argument end_time is greater than now. It is used to initialize the PartnerMetadata.end_time .If the PartnerMetadata.end_time is less than now, and not updated by partner::update_time later, the partner would always get a zero fee rate returned by partner::get_ref_fee_rate , and thus the partner would never receive any partner fee.
Unchecked deposit amount
Severity: Low
Ecosystem: Aptos
Protocol: Echelon
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Echelon - Zellic Audit Report (January).pdf
Report Date: Jan 2025
Description:
The receive_deposit_batch function calls parse_deposit_payload to parse deposit payloads. While received_asset_amount represents the total sum of all depositor amounts, the parse_deposit_payload function lacks validation to ensure this sum matches the actual total deposit amount received.
Missing validation checks in set_params
Severity: Low
Ecosystem: Aptos
Protocol: Aptos Dollar
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Thala Labs Move Dollar - Zellic Audit Report.pdf
Report Date: Oct 2022
Description:
Currently there are no validation checks in params::set_params to ensure that the following critical protocol parameters are not set to values that break the protocol.
Missing assertion checks for oracle initialization
Severity: Low
Ecosystem: Aptos
Protocol: Aptos Dollar
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Thala Labs Move Dollar - Zellic Audit Report.pdf
Report Date: Oct 2022
Description:
There are no checks in place to enforce that oracle::set_price
batch_set_asset_feed_ids should revert when assets and feed_ids lengths are not the same
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Core
Auditor: Spearbit
Report Date: Jun 2025
Description:
The batch_set_asset_feed_ids is not checking if the length of the two input vectors assets and feed_ids matches. If feed_ids is bigger compared to assets, the function will not revert but will not configure all the feed_ids to an asset.
AToken/vToken factories functions work with tokens of the opposite type
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Core
Auditor: Spearbit
Report Date: Jun 2025
Description:
The token_base function is used as the shared module between aTokens and vTokens. To get a token's balance one can call the public functions on either the a_token_factory or variable_debt_token_factory modules. However, not all functions check if the token address parameter is indeed a token of the factory's type, for example: • A user can call variable_debt_token_factory::scaled_balance_of(owner, metadata_address=a_token) with an a_token address and receive the aToken balance, and vice versa for aToken factory and vToken parameters. This should not be valid and in the worst case, this can lead to exploits in integrators that don't perform further checks on the metadata_address (like interpreting a vToken address as an aToken collateral balance in a a_token_factory::scaled_balance(owner, metadata_address=vToken)).
coin_to_fa should revert if the user has not enough CoinType balance to perform the conversion
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Periphery
Auditor: Spearbit
Report:
Report Date: Jun 2025
Description:
The current sanity check performed by aave_pool::coin_migrator::coin_to_fa on the user balance is not correctly implementing the requirement to revert when the caller has not enough CoinType balance to perform the conversion of amount coins.
The function fetches the user's balance by calling coin::balance
Lack of lower and Upper bound in set_emission_per_second
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Periphery
Auditor: Spearbit
Report:
Report Date: Jun 2025
Description:
The set_emission_per_second function in the RewardsController module allows setting new emission rates for rewards without validating upper or lower bounds. This could lead to two potential issues:
- Setting extremely high emission rates could cause excessive rewards distribution and potential numerical overflow when calculating rewards.
- Setting extremely low (but non-zero) emission rates could lead to rewards that effectively round to zero, wasting gas on calculations that produce no meaningful rewards.
Missing Zero Amount Checks
Severity: Low
Ecosystem: Aptos
Protocol: Hyperionxyz Vaults
Auditor: ExVul
Report Date: Apr 2025
Description:
Functions like remove_as_pair and remove_as_single assert token_amount != 0, but deposits (deposit_with_pair, deposit_with_single) don't explicitly check for zero amount_a_desired/amount_b_desired or amount_in. While downstream calls might handle this, explicit checks can prevent wasted gas or unexpected behavior.
Missing Zero Liquidity Check
Severity: Low
Ecosystem: Aptos
Protocol: Hyperionxyz Vaults
Auditor: ExVul
Report Date: Apr 2025
Description:
In the close_position function, the logic directly calls pool_v3::remove_liquidity using the liquidity_amount retrieved from position_v3::get_liquidity. However, there is no check to ensure that liquidity_amount is non-zero. If the value is 0, calling remove_liquidity with zero liquidity may lead to unexpected behavior, wasted gas, or even reverts inside the remove_liquidity logic, depending on the pool implementation.
Should check if the amount_in is bigger than 0
Severity: Low
Ecosystem: Aptos
Protocol: Hyperionxyz Vaults
Auditor: ExVul
Report Date: Apr 2025
Description:
In the swap_liquidity_token_to_another function, there is no explicit check to ensure that amount_in is greater than zero before performing a withdrawal and initiating a swap.
Nonce expiration isn’t verified before removal
Severity: Low
Ecosystem: Sui
Protocol: Claynosaurz
Auditor: Certora
Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/04_18_2025_Claynosaurz_NFT.pdf
Report Date: Apr 2025
Code Snippet: N/A
Description:
registry::update_nonce_expiration_window() allows the admin to remove old nonces from the registry. However, the function doesn’t verify that the nonces have expired already and relies on the admin to check that. It might be best to double-check that programmatically and not only rely on the admin.
Bytes isn’t verified to be fully consumed by claim_boosterpack()
Severity: Low
Ecosystem: Sui
Protocol: Claynosaurz
Auditor: Certora
Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/04_18_2025_Claynosaurz_NFT.pdf
Report Date: Apr 2025
Description:
claim_boosterpack() decodes a bytes parameter which contains encoded data about the booster pack. However, it doesn’t verify the bytes were fully consumed by decoding (i.e. the bytes vec is empty after ‘peeling’ all the data). Meaning, the function might accept data that’s longer than expected and contains excess bytes at its end. This kind of data wasn’t signed to be used for claiming boosterpack and should be rejected by the function.
Missing role bounds check in has_role
Severity: Low
Ecosystem: Sui
Protocol: Elixir
Auditor: Pashov Audit Group
Report: https://github.com/pashov/audits/blob/master/team/pdf/Elixir-security-review_2025-08-17.pdf
Report Date: Aug 2025
Code: N/A
Description:
The has_role function in sources/acl.move lacks role bounds validation, unlike other role functions. This inconsistency could cause runtime aborts if invalid role values (≥128) are passed. The issue may arise in future integrations where external contracts pass usercontrolled role parameters or during cross-contract calls with unvalidated inputs. Impact -> Runtime trxs abort instead of graceful error handling, leading to inconsistent API behavior.
The deposit function lacks asset support check
Severity: Low
Ecosystem: Sui
Protocol: Elixir
Auditor: Pashov Audit Group
Report: https://github.com/pashov/audits/blob/master/team/pdf/Elixir-security-review_2025-08-17.pdf
Report Date: Aug 2025
Description:
The deposit function allows anyone to send coins to management, mainly intended for the router to inject the tokens required for withdrawals after rebalancing.
Missing Input Validation
Severity: Low
Ecosystem: Aptos, Initia, and Movement
Protocol: Echelon Market
Auditor: Quantstamp
Report Date: Mar 2025
Description:
The following functions lack proper input validation:
-
isolated_lending::isolated_lending:set_pair_collateral_dust_amount():collateral_dust_amountis unbound and may have any value between zero andMAX_U64.set_pair_supply_cap():supply_capneither has a lower nor an upper bound, allowing arbitrary caps, which may leave the pair temporarily in an inoperable state.set_pair_borrow_cap():borrow_capneither has a lower nor an upper bound, allowing arbitrary caps, which may leave the pair temporarily in an inoperable state.set_pair_jump_interest_rate_model(): All parameters are unbound and unchecked, with the exception ofutilization_kink_bps, which however may assume any values between zero andBPS_BASE.create_pair_internal():liquidation_incentive_bpsnot checked to be greater than or equal toBASE_BPSand smaller or equal toMAX_LIQUIDATION_INCENTIVE_BPS.collateral_dust_amountnot checked to be within a reasonable bound.base_rate_bpsnot checked to be withinBASE_BPS.multiplier_bpsnot checked to be withinBASE_BPS.jump_multiplier_bpsnot checked to be withinBASE_BPS.
-
lending::lending:set_market_jump_interest_rate_model():base_rate_bps,multiplier_bpsandjump_multiplier_bpsare not checked to be smaller thanBPS_BASEor otherwise reasonably bound.- It is not checked that
jump_multiplier_bps < multiplier_bps, leading to no jump in rates after the kink point. - It is not checked that
utilization_kink_bpsis a reasonable value. Especially, it is not checked thatutilization_kink_bps !== 0. Ifutilization_kink_bps === 0, it would causeborrow_interest_rateto divide by zero. This division by zero risk is particularly concerning as it would cause transaction failures for all operations that depend on interest rate calculations, including borrowing, supplying, and liquidations, potentially rendering markets unusable.
set_market_rate_limit_internal():window_max_qtynot checked to be non-zero or otherwise reasonably bound.deposit_reserve_fa(): Missing call tovalidate_fa_info().
MAX_LIQUIDATION_INCENTIVE_BPS Can Be Bypassed when Creating New Pairs
Severity: Low
Ecosystem: Aptos, Initia, and Movement
Protocol: Echelon Market
Auditor: Quantstamp
Report Date: Mar 2025
Description:
When changing the liquidity incentive via set_pair_liquidation_incentive_bps(), it is constrained to be within 100% and MAX_LIQUIDATION_INCENTIVE_BPS (150%). However, when creating new pairs via create_pair_internal() no such checks exist, allowing potentially higher or lower values, given sufficiently low collateral factor values to pass the coverage checks.
Missing Input Validation
Severity: Low
Ecosystem: Sui
Protocol: BalancerV2
Auditor: Quantstamp
Report Date: Aug 2025
Description:
human error may lead to erroneous inputs that drive unexpected protocol behavior. As such, input validation is important to include in the code to prevent incorrect inputs from influencing the protocol.
Many of the inputs are integers, some of which are formatted as basis points (bps). In most cases, basis points should not exceed 10000 (i.e. 100%). However, inputs above this number are possible.
Unbounded values can be set in config
Severity: Low
Ecosystem: Aptos
Protocol: KoFi Finance
Auditor: Zenith
Report: https://github.com/KofiFinance/audits/blob/main/Kofi Finance - Zenith Audit Report.pdf
Report Date: Mar 2025
Description:
The set_min_withdrawal_amount_admin function allows setting the minimum withdrawal amount without any upper bound validation. This could lead to a denial of service if the admin accidentally sets an extremely high minimum withdrawal amount, effectively preventing users from making withdrawals.