Low Findings
Unimplemented Auto Pause Feature
Severity: Low
Ecosystem: Sui
Protocol: Creek Finance
Auditor: MoveBit
Report: https://movebit.xyz/reports/Creek-Audit-Report-2025-12-30.pdf
Report Date: Dec 2025
Description:
The Market struct defines the fields auto_pause_enabled and auto_pause_threshold, indicating that the protocol was designed with an automatic pause mechanism to handle extreme market conditions. However, no logic exists anywhere in the module's code to check whether the conditions defined by auto_pause_threshold have been triggered, nor is set_paused(self, true) automatically called when those conditions are met. This results in the complete absence of this functionality, giving users a false sense of security that the protocol has automatic risk controls in place, when in reality, this mechanism is not operational.
Inability To Withdraw Treasury Amount
Severity: Low
Ecosystem: Sui
Protocol: Navi
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description: Other functions like increase_treasury_balance and update_state exist to increase and update treasury balance. However, there is a missing function to withdraw_treasury amount. Therefore, funds become locked in the pool.
Inability to Withdraw Owner Fees
Severity: Low
Ecosystem: Sui
Protocol: Aftermath Market Making
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Jan 2025
Description:
The vault allows for the collection of owner fees, however, it currently lacks a function to withdraw these accumulated fees, introducing operational inefficiencies. Without a withdrawal function, owner fees remain inaccessible, causing substantial funds to be locked in the contract over time as they accumulate, which negatively impacts the protocol’s revenue model.
Lack of Revoke Function
Severity: Low
Ecosystem: Sui
Protocol: Mysten Deepbook V3
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
DepositCap and WithdrawCap perform verification using only the balance_manager_id field, instead of checking the allowed list. However, TradeCap checks whether the cap ID is on the allowed list. As a result, it’s not possible to remove the cap using the existing revoke function.
Lack of Reverse Functionality
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
The contract currently supports the functionality of registering coins and collateral assets for the protocol. However, it lacks the ability to remove or unregister coins and collateral assets.
Missing Adapter Implementation in Supra Contract
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: MoveBit
Report Date: June 2023
Description:
The Supra contract lacks implementation for the adapter. Without the adapter, the contract cannot effectively communicate or interact with the external environment, limiting its functionality and interoperability.
Description Cannot Be Modified
Severity: Low
Ecosystem: Sui
Protocol: Cetus Concentrated Liquidity Protocol (Sui)
Auditor: MoveBit
Report Date: Apr 2023
Description:
The description of open_position is specified as an empty string when the position is created, it is not passed through function parameters, and there is no function that can modify the description in other functions of the position.
Lack of Unfreeze Functionality
Severity: Low
Ecosystem: Aptos
Protocol: Echleon
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Apr 2025
Description:
There is a lack of functionality to unfreeze coin stores after a freeze operation in echelon_coin.
Lack of Token Unfreeze Functionality
Severity: Low
Ecosystem: Aptos
Protocol: Thala LSD
Auditor: OtterSec
Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
freeze_thapt_coin_stores permanently freezes token stores without any method to unfreeze them.
Contract Configuration and Loan Validation Improvements
Severity: Low
Ecosystem: Aptos
Protocol: Amnis
Auditor: MoveBit
Report: https://movebit.xyz/reports/Amnis-Final-Audit-Report.pdf
Report Date: Mar 2024
Description:
Currently, there is no place in the contract to modify loan_fee. Should the ability to update loan_fee be allowed in the config_pegging() function? Additionally, the loan_apt() function checks that the treasury balance must be greater than the loan amount. Should it also allow equality, as a borrower might acquire the entire balance before invoking this function? The current validation may lead to confusion for borrowers attempting to loan their entire balance.
partner and fee_tier modules don't have any functions to remove partner and fee
Severity: Low
Ecosystem: Aptos
Protocol: Cetus Concentrated Liquidity Protocol(Aptos)
Auditor: MoveBit
Report Date: Jan 2023
Description:
As time goes on, the partner and fee_tier may have a large number of partners and fee_tiers. For administration, may need a way to remove the unused partners and fee_tiers .
Locked redemption fees
Severity: Low
Ecosystem: Aptos
Protocol: Aptos Dollar
Auditor: Zellic
Report: https://github.com/Zellic/publications/blob/master/Thala Labs Move Dollar - Zellic Audit Report.pdf
Report Date: Oct 2022
Code Snippet: N/A
Description:
Currently there is no way for the manager to retrieve fees stored in the FeeStore from calls made to manager::charge_redemption_fee; in vault::redeem_collateral;. Impact The owners of the protocol would be unable to retrieve redemption fees from the FeeStore.
emission_manager should expose a getter function to fetch the current rewards_controller
Severity: Low
Ecosystem: Aptos
Protocol: AAVE v3.0.2 Periphery
Auditor: Spearbit
Report:
Report Date: Jun 2025
Description:
The current implementation of the emission_manager modules does not expose a function which is the current rewards_controller in use. This piece of information will be important for both integrators and users when they need to interact via the dApp to claim their rewards.
Missing Pause Functionality in Vault Contract
Severity: Low
Ecosystem: Aptos
Protocol: Hyperionxyz Vaults
Auditor: ExVul
Report Date: Apr 2025
Description:
The Vault contract previously lacked a pause mechanism, which is a fundamental operational control in DeFi contracts. Without a paused flag and corresponding validation logic, administrators are unable to temporarily disable critical functions (e.g., deposit, withdraw) during emergencies, upgrades, or abnormal conditions.
Missing Functionality: Partial Withdrawals
Severity: Low
Ecosystem: Sui
Protocol: MoviePass Exchange - MSX Smart Contract
Auditor: Certora
Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/03_02_2025_MoviePass_MSX-MR.pdf
Report Date: Feb 2025
Description:
Both user and admin withdrawal functions (e.g., withdraw_custodial_pool and admin_withdraw_custodial_pool) currently withdraw the entire balance. Users who wish to withdraw only a portion of their funds must withdraw everything, then redeposit any funds they wish to keep. This may lead to increased transaction fees and reduced flexibility.
Missing the function to transfer the AdminCap object
Severity: Low
Ecosystem: Sui
Protocol: Elixir
Auditor: Pashov Audit Group
Report: https://github.com/pashov/audits/blob/master/team/pdf/Elixir-security-review_2025-08-17.pdf
Report Date: Aug 2025
Description:
The AdminCap is the protocol’s privilege credential. It is created in the init function and transferred to the sender.
However, the AdminCap object only has the key ability, which means it cannot be freely transferred via public_transfer outside the module. Moreover, there is no function within the module that allows the AdminCap holder to transfer ownership. This indicates that the functionality for owner transfer is missing.
Missing Global Pausability (All Pairs) Function for Quicker Reaction in Emergency
Severity: Low
Ecosystem: Aptos, Initia, and Movement
Protocol: Echelon Market
Auditor: Quantstamp
Report Date: Mar 2025
Description:
The isolated lending pools, while can be individually paused, lack a global pausability function. Unlike the lending core module which supports global pause flag as well as individualized market paused flag. This may result in losing valuable time in case of a hack, since all pools would have to be iterated and paused individually.
Protocol only Supports Hard Liquidations
Severity: Low
Ecosystem: Sui
Protocol: BalancerV2
Auditor: Quantstamp
Report Date: Aug 2025
Code: N/A
Description:
The liquidation mechanism forces complete position closure regardless of how slightly a position breaches the minimum collateralization ratio. For example, a position at 149% collateralization faces total liquidation despite needing only minimal deleveraging to restore a 150% threshold. This all-or-nothing approach causes unnecessarily severe user losses and discourages efficient capital utilization near the collateralization boundaries.
The implementation allows liquidators to specify repayment amounts but always liquidates proportionally across the entire position rather than targeting a healthy collateralization ratio. This design may hold back users who are looking for optimized capital efficiency, since their position would be extremely risky.