Low Findings
Missing checked_package_version Enforcement in Multiple Functions
Severity: Low
Ecosystem: Sui
Protocol: Full Sail CLMM
Auditor: Asymptotic
Report: https://info.asymptotic.tech/full-sail-clmm-audit
Report Date: May 2025
Description:
Several functions across the factory and pool modules are missing calls to checked_package_version, which is used to ensure compatibility and enforce upgrade safety in systems with upgradeable packages.
Omitting this check allows these functions to be called even when the package version is outdated or mismatched, potentially leading to unintended behavior, security vulnerabilities, or inconsistent state if the logic is changed in newer versions.
Insufficient Version Validation in Version Management
Severity: Low
Ecosystem: Sui
Protocol: Momentum CLMM
Auditor: Asymptotic
Report Date: Aug 2025
Description:
The upgrade minor and set version functions lack proper validation to ensure version updates follow a proper upgrade path. Both functions allow setting versions to any value, including the current version or even downgrading to older versions.
Non Atomic Upgrade And Migrate
Severity: Low
Ecosystem: Sui
Protocol: Wormhole
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: May 2023
Description: During BatchTransaction, old and new modules can be performed simultaneously.
Lack of Version Check
Severity: Low
Ecosystem: Sui
Protocol: Scallop
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: June 2023
Description:
All user-callable functions perform a version check to ensure they utilize the most recent module whenever the protocol undergoes an upgrade. However, the functions within accrue_interest.move do not include this version validation, which may allow them to execute in their previous versions even after a protocol upgrade.
Absence of Version Update Functionality
Severity: Low
Ecosystem: Sui
Protocol: Bluefin Spot
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Nov 2024
Description:
In config, there is no mechanism to update the protocol’s version during package upgrades. This limitation will pose significant issues when deploying new versions of the protocol, especially if breaking changes are introduced. The GlobalConfig structure contains a version field, which is intended to track the current version of the protocol. The VERSION constant is defined in the module, but there is no function to modify the version field of GlobalConfig after the initial setup.
Missing Version Checks in Admin Functions
Severity: Low
Ecosystem: Sui
Protocol: Mayan Sui
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2025
Description:
Currently, in mayan-swift, admin functions are missing version checks. In fee_manager::state, admin functions such as add_token_config , update_token_config, and update_fee_collector do not include any version checks, which implies that an administrator may utilize an older version of the contract to bypass restrictions that are enforced in newer versions. Similarly, version checks are not present in change_paused and add_pair_emitter in mayan_swift::state.
Lack of Validation for Version
Severity: Low
Ecosystem: Sui
Protocol: Volo
Auditor: MoveBit
Report: https://movebit.xyz/reports/Volo-Smart-Contract-Audit-Report.pdf
Report Date: Sep 2023
Description: The function update_validators does not check the version.
update_nonce_expiration_window() lacks version validation
Severity: Low
Ecosystem: Sui
Protocol: Claynosaurz
Auditor: Certora
Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/04_18_2025_Claynosaurz_NFT.pdf
Report Date: Apr 2025
Description:
The function update_nonce_expiration_window() doesn’t verify that the registry’s version matches the version of the module. This would allow calling the function also when a newer version is released.
Missing Package Version Validation in ALMM Pair Module
Severity: Low
Ecosystem: Aptos
Protocol: Magma DEX
Auditor: Three Sigma
Report: https://cdn.sanity.io/files/qoqld077/staging/9566473c444a6cfd99c7a6556fa4857950b41de3.pdf
Report Date: July 2025
Code: N/A
Description:
The almm_pair module lacks package version validation in its public functions. While ALMM rewarder module use cfg.checked_package_version(), the ALMM pair module omits this validation entirely. Functions execute critical operations without verifying package version, allowing incompatible logic to run after upgrades.