Low Findings

Improper Oracle Update

Severity: Low

Ecosystem: Sui

Protocol: Bluefin Spot

Auditor: OtterSec

Report: 

https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Nov 2024

Description:

pool::update_pool_state is responsible for updating the state of the liquidity pool after a swap operation occurs. In the current code, oracle::update is called after the pool’s current_tick_index and current_sqrt_price have been updated based on the swap result. This timing will result in the recording of inaccurate and misleading data in the oracle regarding the pool’s state before the swap occurred, rendering the data inconsistent.

The Price in the Oracle Lacks Validation

Severity: Low

Ecosystem: Sui

Protocol: Navi

Auditor: MoveBit

Report: https://github.com/movebit/Sampled-Audit-Reports/blob/main/reports/Navi-Smart-Contract-Audit-Report.pdf

Report Date: July 2023

Description:

When setting the price in the oracle, it is not validated whether the price is equal to 0. If the price is set to 0, then the value of the token will also be 0, making the current ReserveData meaningless.

Underflow Due to Future-dated Oracle Timestamp

Severity: Low

Ecosystem: Aptos

Protocol: Thala Swap

Auditor: OtterSec

Report: https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Jan 2025

Description:

The oracle price retrieval functions may fail due to underflow if the reported timestamp is greater than the current system timestamp due to network clock drift.

Severity: Low

Ecosystem: Aptos

Protocol: AAVE v3.0.2 Core

Auditor: Spearbit

Report: https://github.com/aave/aptos-aave-v3/blob/main/audits/Spearbit%20Aave%20Aptos%20Core%20V3.0.2%20Report.pdf

Report Date: Jun 2025

Description:

The oracle.get_asset_price fetches the price from chainlink router's benchmark data. This benchmark is extracted from the raw report data and its price, which is a signed i192. However, the i192 is treated and returned as a raw u256 by chainlink.

Currently, Aave does not perform further checks on this returned u256 value. Misinterpreting a negative value as a large value would lead to having near-unlimited collateral value to borrow against.

Severity: Low

Ecosystem: Aptos

Protocol: AAVE v3.0.2 Core

Auditor: Spearbit

Report: https://github.com/aave/aptos-aave-v3/blob/main/audits/Spearbit%20Aave%20Aptos%20Core%20V3.0.2%20Report.pdf

Report Date: Jun 2025

Description:

The current implementation of the oracle::get_asset_price and oracle::get_assets_prices functions do not perform any sanity check on the staleness of the price. This absent of check is aligned with the corresponding implementation on the AaveOracle on the Solidity codebase. One key difference in the Aptos implementation for the Chainlink protocol is that they seem to allow the replacement of the latest "benchmark" (the price) with an updated benchmark that could be older (stale) compared to the current one returned by Chainlink. If you look at the logic of the fun perform_update function in the Chainlink registry module codebase, called by the on_report function when the price needs to be updated, you can see that the logic does not revert when the observation_timestamp of the report is equal or older compared to the current one used by the actual feed.

The logic will just emit the StaleReport event and replace the feed with the stale price.

The get_price_by_metadata Function Fails to Check Oracle Price Staleness

Severity: Low

Ecosystem: Initia

Protocol: Echelon Market

Auditor: Quantstamp

Report: https://certificate.quantstamp.com/full/echelon-market/9ee15c30-6a0f-4a70-b5ce-63b8a887bd4e/index.html

Report Date: Mar 2025

Code: N/A

Description:

The echelon_oracle::oracle::get_price_by_metadata function is a view function that retrieves the current price of an asset from the oracles and returns it. However, unlike other functions such as get_and_update_price_by_metadata, it does not ensure that the returned price is not stale.

Non-Deterministic Oracle Selection

Severity: Low

Ecosystem: Sui

Protocol: BalancerV2

Auditor: Quantstamp

Report: https://certificate.quantstamp.com/full/bucket-protocol-v-2/abd312d6-1a5e-45c5-963b-a6856daf6621/index.html

Report Date: Aug 2025

Code: N/A

Description:

The oracle system allows users to select different subsets of price feeds to reach the weight threshold, enabling them to obtain multiple valid prices within the same transaction. While we did not identify a direct exploitation path in the current CDP and PSM modules (which only use prices for health checks and divergence thresholds), this non-deterministic design violates oracle best practices and could become exploitable if the protocol evolves. Furthermore, sophisticated users can currently pick a subset of oracles that is most advantageous to them.

No Protocol-Controlled Oracle Staleness Checks

Severity: Low

Ecosystem: Sui

Protocol: BalancerV2

Auditor: Quantstamp

Report: https://certificate.quantstamp.com/full/bucket-protocol-v-2/abd312d6-1a5e-45c5-963b-a6856daf6621/index.html

Report Date: Aug 2025

Description:

The protocol delegates price freshness validation entirely to external price providers rather than enforcing its own staleness requirements. Currently, only Pyth is implemented as a price source, and the protocol relies on Pyth's internal staleness checks without the ability to configure acceptable price age limits. This dependency prevents the protocol from adjusting freshness requirements based on market conditions or risk parameters. Furthermore, price feed providers, such as Pyth, will panic if the price is outdated, leaving the protocol unable to revert to other oracle providers. The lack of protocol-level control also complicates adding new price sources with different staleness guarantees.