High Findings
Lack of Oracle Usage Claims the System Vulnerable Against Depeg Risks
Severity: High
Ecosystem: IOTA Mainnet
Protocol: Pools Finance
Auditor: Hacken
Report: https://hacken.io/audits/pools-finance/sca-pools-finance-pools-contracts-may2025/
Report Date: June 2025
Description:
The protocol's stable pools utilize an amplified invariant (e.g., similar to Curve’s stableswap formula), which is optimized for assets that maintain a tight 1:1 peg, such as USDT, USDC, or DAI. The amplification parameter (commonly referred to as amplification_p) flattens the bonding curve near the equilibrium point, enabling large trades with minimal slippage — under the assumption that both assets remain closely pegged.
However, this model fails to protect liquidity providers and swappers during depeg events. When one asset in the pair (e.g., USDT in a USDT/USDC pool) depegs significantly from its expected $1 value, the protocol continues treating it as equal in value to the other asset. This leads to risk-free arbitrage opportunities for attackers, who can:
Swap the depegged (and less valuable) asset for the more valuable one at an artificially favorable 1:1 rate. Drain the pool of the sound asset, leaving only the depegged token behind. This behavior directly causes value loss to LPs and users who do not react quickly to the peg loss, especially when the depeg is severe or prolonged.
The vulnerability exists in the fundamental mathematical design of stable pools, specifically in how they calculate swap amounts during market stress.
Oracle Lacks Update Cycle Verification
Severity: High
Ecosystem: Sui
Protocol: Navi
Auditor: MoveBit
Report: Navi Smart Contract Audit Report (MoveBit)
Report Date: July 2023
Description:
The oracle mechanism lacks verification of the update cycle. Specifically, there is no maximum interval period enforced when obtaining prices, allowing outdated price data to persist in the system. This can result in stale price feeds and inaccurate valuations.
Recommendation:
Implement a maximum time interval check for oracle updates and require regular price refreshes to ensure price data remains current.
Oracle Confidence Checks
Severity: High
Ecosystem: OL Network
Protocol: StakeSphere
Auditor: MoveJay
Report: https://github.com/Jayfromthe13th/StakeSphere-stealth-/blob/Wallet/Audit.md
Report Date: Feb 2025
Description:
High oracle confidence values suggest that there is disagreement among providers about the actual price. For instance, Pyth measures confidence as the difference between the 25th and 75th quartiles and the median price.
Recommendation:
Check the confidence of oracles.
Potential risk of manipulation of hyperion llp positions
Severity: High
Ecosystem: Aptos
Protocol: Yeap Finance
Auditor: SlowMist
Report Date: July 2025
Description:
In the health_check module, get_amount_by_liquidity must use the pool’s real-time price; otherwise, attackers can manipulate token amounts by performing large swaps within the same transaction.
Domain pricing relies on pool price, which can be manipulated
Severity: High
Ecosystem: Initia
Protocol: Initia Move
Auditor: Code4Arena Contest SRs
Report: https://code4rena.com/reports/2025-01-initia-move
Report Date: Apr 2025
Description:
Payment for domains (registration, extensions) relies on direct spot price from the Dex module which is directly related to pool reserves. This can be manipulated with a flash loan or a large amount deposit, resulting in: buying a domain in a lower price making other users overpay for their domains. Calculating the price based directly on a liquidity pool reserves is a well known insecure pattern.