Medium Findings
Position Boundary Check Bypass Vulnerability
Severity: Medium
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: MoveBit
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Sep 2025
Description:
First, look at the new_open_position_cert function: Here, the position's lower_bin_id and upper_bin_id are indeed set correctly. Then look at the open_position_on_bin function: Here, it only checks whether bin_id is equal to next_bin_id , but does not check whether bin_id is within the range of position's lower_bin_id and upper_bin_id .
Dead Position Risk
Severity: Medium
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: MoveBit
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Sep 2025
Description:
When width == 0 in new_open_position_cert , a position with lower_bin_id > upper_bin_id is created. Later, in functions like remove_liquidity , the check in_bin_id.gte(position.lower_bin_id()) && max_bin_id.lte(position.upper_bin_id()) always fails. This leads to irreversible locked positions, permanently trapping user funds.
Missing Position-Pool Matching Validation in add_liquidity and remove_liquidity Functions
Severity: Medium
Ecosystem: Sui
Protocol: Cetus DLMM
Auditor: MoveBit
Report: https://drive.google.com/drive/u/0/folders/1d9nv3nJidsbQ0vDT8D1kEuR3rJzK2ULg
Report Date: Sep 2025
Description:
The add_liquidity and remove_liquidity functions in sources/pool.move lack validation to ensure that the provided position belongs to the specified pool.
The BOND_MODE_MAX_BOND lock creation is practically unusable due to mismatched checks
Severity: Medium
Ecosystem: Sui
Protocol: Momentum
Auditor: Sherlock
Report Date: Nov 2025
Description:
The BOND_MODE_MAX_BOND creation path requires unbond_at == clock.timestamp_ms() + ve _mmt.vp_config().max_bond_epochs() * ve_mmt.ep_config().epoch_interval_ms(), while user creation requires is_epoch_start(unbond_at). Since “now” rarely equals an epoch start, valid inputs often fail. The helper view returns an unrounded timestamp, compounding the issue.
Missing Validation for tick_spacing in add_fee_tier
Severity: Medium
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
The add_fee_tier function in config module does not validate the tick_spacing parameter, allowing callers to set arbitrarily large values.
A very large tick_spacing significantly reduces tick density across the price range. In concentrated liquidity models like CLMM, this results in extremely coarse or even absent liquidity across wide price intervals, leading to inefficient pricing and degraded trading performance.
Missing Referral and Fee Rate Validation
Severity: Medium
Ecosystem: Sui
Protocol: ZO Perps(Sudo)
Auditor: Asymptotic
Report: https://info.asymptotic.tech/sudo-audit-report
Report Date: Mar 2025
Description:
The admin functions set_referral_rate and set_fee_config lack proper input validation for fee rates. While fee_rate has a 100% limit (which seems too high), referral rates are completely unlimited. This allows setting arbitrary referral rate percentages without bounds (e.g., above 100%), which may cause transactions to revert during position operations.
Additionally, setting referral rates higher than fee rates could negatively impact users who utilize the referral system.
Missing Input Validation for Position Orders
Severity: Medium
Ecosystem: Sui
Protocol: ZO Perps(Sudo)
Auditor: Asymptotic
Report: https://info.asymptotic.tech/sudo-audit-report
Report Date: Mar 2025
Description:
The open_position and decrease_position functions lack essential input validation when creating orders. For example, users can create open orders with zero collateral or zero open_amount, while position decrease orders have no validation for decrease amounts or leverage limits. These missing validations allow the creation of meaningless orders that waste system resources and may lead to unexpected behavior during execution.
Maximum Position Collateral Validation Inconsistency
Severity: Medium
Ecosystem: Supra
Protocol: Dexlyn Perp DEX
Auditor: Hacken
Report: https://hacken.io/audits/dexlyn/sca-dexlyn-perp-dex-jul2025/
Report Date: Sep 2025
Description:
A significant validation inconsistency exists between the order placement and execution phases regarding maximum_position_collateral enforcement. While validation correctly checks total projected collateral against the limit, execution only validates the post-fee collateral delta, allowing positions to exceed configured maximums when governance parameters change between order placement and execution.
Mismatched Array Lengths in Admin Messages Can Lead to State Corruption or Denial of Service
Severity: Medium
Ecosystem: IOTA Mainnet
Protocol: Echo Protocol Bridge
Auditor: Hacken
Report: https://hacken.io/audits/echo-protocol/sca-echo-protocol-bridge-iota-jul2025/
Report Date: Aug 2025
Description:
The system relies on privileged, off-chain administrators to configure its core parameters, such as which tokens are supported and what routes are active. This is accomplished via signed messages created by the create_add_tokens_on_iota_message and create_add_routes_on_iota_message functions in the bridge::message module. These functions accept several parallel vectors of data (e.g., token_ids, token_type_names, token_prices) which are then encoded into a message payload. This message is subsequently processed on-chain by the execute_add_tokens_on_iota and execute_add_routes_on_iota functions, which decode the payload and update the bridge's state.
The message creation functions (create_add...) fail to validate that the parallel vectors provided as input have identical lengths. A malicious or mistaken administrator can therefore craft a syntactically valid message with mismatched array lengths (e.g., providing 3 token IDs but only 2 prices). When the bridge attempts to process this malformed message, the transaction will abort due to an out-of-bounds error, leading to a Denial-of-Service (DoS) that prevents any administrative updates. This could trap the bridge in a misconfigured or paused state indefinitely.
Artificially Low Asset Price Leads to Rate-Limiter Bypass
Severity: Medium
Ecosystem: IOTA Mainnet
Protocol: Echo Protocol Bridge
Auditor: Hacken
Report: https://hacken.io/audits/echo-protocol/sca-echo-protocol-bridge-iota-jul2025/
Report Date: Aug 2025
Description:
The notional_value<T>() is fetched directly from the treasury module. The issue is that the function for setting this price, update_asset_notional_price, does not validate its input. It is called by execute_update_asset_price in bridge.move, which is in turn only callable via a committee-signed execute_system_message. If the committee sets an artificially low price for a high-value asset, the hourly transfer limits for that asset become ineffective.
Manipulated Initial Data Package Can Skew Timestamp Validation
Severity: Medium
Ecosystem: Sui
Protocol: RedStone
Auditor: Hacken
Report: https://hacken.io/audits/redstone/sca-redstone-finance-sui-connector-feb2025/
Report Date: Feb 2025
Description: The process_payload function extracts the timestamp from the first package in parsed_payload after filtering packages by their feed ID and extracts these packages. However, the package_timestamp function uses the first package's timestamp for other packages in the payload. This creates a risk because an attacker can insert a fake initial package with an incorrect timestamp, bypassing proper validation.
Insufficient Validation of Price Source Independence
Severity: Medium
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
In the determine_price function , the code calculates the required number of secondary matches using:
let required_secondary_match_num = (secondary_price_feed_num + 1) / 2;
However, there is no check to ensure that required_secondary_match_num > 0 . Additionally, in the upper-level function confirm_price_update_request , there is no validation to ensure that the primary_price_update_request and secondary_price_update_request originate from distinct sources.
Lack of Validation for Price Value in get_price function
Severity: Medium
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
Missing 0 check can lead to incorrect calculations and impact other functions.
Parameter Check for Creating Dutch
Severity: Medium
Ecosystem: Sui
Protocol: Typus Finance
Auditor: MoveBit
Report Date: Apr 2023
Description:
Parameters like decay_speed should not be zero, and time-related values must be logically consistent (e.g., start_ms < end_time_ms and end_time_ms should be greater than the current time).
Can Create Pools With Same Type
Severity: Medium
Ecosystem: Sui
Protocol: MovEx
Auditor: MoveBit
Report Date: Apr 2023
Description:
create_pool function doesn't check if pool type was already created which will lead to duplicate pools. Depth of each pool is not large enough and will cause slippage.
Create Pools with same Coin Type
Severity: Medium
Ecosystem: Sui
Protocol: MovEx
Auditor: MoveBit
Report Date: Apr 2023
Description:
You can create a pool with two of the same token.
Multiple related functions do not limit the empty Vector
Severity: Medium
Ecosystem: Sui
Protocol: Sui AMM swap
Auditor: MoveBit
Report Date: Nov 2022
Description:
The functions multi_add_liquidity, multi_remove_liquidity, and multi_swap first use the pop_back function for coins_in and lp_coin in the code to pop up the last element of the vector, but this does not judge that the length of the vector is 0.
Lack of Input Validation
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: Jun 2023
Description:
reserve_ratio is not checked to ensure it is not greater than 100 when updating reserve_config.
The addition of reserve is missing validation
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: Jun 2023
Description:
add_reserve lacks input validation — should include an assertion to prevent adding the same coin to the reserve. The client acknowledged this but deemed it a non-issue.
Validation is Required Before Deleting reserve_addr
Severity: Medium
Ecosystem: Sui
Protocol: Aries Market
Auditor: MoveBit
Report Date: Jun 2023
Description:
Check if reserve_addr exists, then proceed with delete.
ID occupied causes program termination
Severity: Medium
Ecosystem: Sui
Protocol: Mango
Auditor: ExVul
Report Date: July 2025
Description:
The new_bridge_pair funciton in config.move does not strictly enforce the relationship between the provided id and the internal pair_id counter.
strategy_type missing check
Severity: Medium
Ecosystem: Aptos
Protocol: Mole
Auditor: MoveBit
Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Mole-Aptos-Audit-Report.pdf
Report Date: Feb 2023
Description:
add_collateral and work functions both use strategy_type parameter to execute different logic. However, add_collateral lacks a check of strategy_type.
current_time not checked
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
In get_ref_fee_rate, current_time does not check it is the current time.
Missing tick in range check
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
get_sqrt_price_at_tick function does not check if tick is in range, some ticks out of range pass.
Create pool with two same CoinTypes
Severity: Medium
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol
Auditor: MoveBit
Report Date: Jan 2023
Description:
A pool can be created between CoinA and CoinA, which is redundant.
Missing Check for Sequence Number
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
While there is validation for the blob ID, there is no validation for the ending checkpoint sequence number. As a result, the value provided by a quorum-reaching node gets recorded in the state. If an incorrect number is entered, it causes a mismatch between the event blob being processed by the node and the on-chain tracking.
Exceeding Object Size Limit
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
In staking_pool, if the StorageNodeInfo.{name,network_address} field is set to an excessively long value by the node owner, it may contribute significantly to the total size of the StakingPool object. This may restrict the addition of new values to pending_shares_withdraw, thereby blocking stakers from making withdrawals.
Missing Commission Rate Check
Severity: Medium
Ecosystem: Sui
Protocol: Walrus Contracts
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
There is no check to ensure that the commission rate is less than or equal to 10000, an ENotEnough error may occur in staking_pool::advance_epoch when the node becomes part of the committee.
Duplicate Entries
Severity: Medium
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Description:
register_rider and register_driver allows the creation of multiple rider or driver objects with the same address, resulting in duplicate entries. Both register_rider and register_driver create a new rider or driver objects without checking whether an object with the same address already exists, resulting in multiple objects with the same address.
Signature Forgery
Severity: Medium
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Description:
In the context of the drife_app::request_ride, the signature includes a parameter city: String after the address to allow the user to set the city name. However, this string may become any value, even to the operation name. Attacker can forge signature by manipulating this field.
Missing TransactionPayload Type Validation
Severity: Medium
Ecosystem: Aptos
Protocol: MSafe
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
The TransactionPayload struct contains the payload and its type. Aptos supports payloads of type: • WriteSet • Scripts • ModuleBundle • EntryFunction
The payload in theTransactionPayloadstruct can be any transaction type, not justEntryFunction. This assumption should be validated. For example, many internal functions such as register payload validation assume the layout of the TransactionPayload is a EntryFunction.
Missing Chain ID Validation
Severity: Medium
Ecosystem: Aptos
Protocol: MSafe
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Oct 2022
Description:
Transactions can be replayed from one chain to another if this field isn’t properly validated. In the context of a multisig, the transaction can be added but will fail at execution. Nonetheless, this represents a potential UX risk and is worth remediating. Validate chain_id in the validate_txn_payload function.
Lack Of Check For Forbidden IDs
Severity: Medium
Ecosystem: Sui
Protocol: Maven
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2023
Description:
Update admin policy could be set to forbidden ID, ensure check beforehand.
Users may set a TTL value that does not follow the maximum TTL limit
Severity: Medium
Ecosystem: Sui
Protocol: Mysten Labs Sui
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description:
Users may assign invalid TTL values to their domain names, enforce limit.