Franklin Templeton Aptos

Findings · 18

1. 1 Users can request a share transfer when self-service is disabled Medium
2. 2 Full liquidation requests will fail to execute Medium
3. 3 A malicious shareholder can launch a DoS attack High
4. 4 Shareholders can stop the admin from removing them as a shareholder Informational
5. 5 Insufficient event generation Informational
6. 6 Frozen shareholders can be distributed dividends Informational
7. 7 Insufficient checks during request settlement High
8. 8 A high number of pending requests could lead to a temporary denial of service Informational
9. 9 Pending requests are not settled in the order in which they were created High
10. 10 The order in which the admin inputs the accounts to the settlement function can alter the outcome of the settlement Informational
11. 11 Creating requests just before the end of day allows shareholders to instantly settle them Informational
12. 12 The end_of_day function is broken High
13. 13 Multisig integrity checks are not performed on addresses with PERMISSION_LEVEL_ALL role Medium
14. 14 The recover_account and recover_assets functions do not check whether the source and destination addresses are the same Low
15. 15 Account recovery can be prevented by creating a pending transaction Informational
16. 16 Beware of changing token decimals Informational
17. 17 The addition of negative yield, asset recovery, and share adjustment can also trigger TOB-FT-APTOS-7 Informational
18. 18 There is no association between multisig addresses and their underlying configuration Medium

Findings extracted from the published report PDF. See the full report below for details and remediation.