Current Finance x Sherlock: Securing Sui's Capital Efficiency Engine Before Launch
Current Finance x Sherlock: Securing Sui's Capital Efficiency Engine Before Launch
Shipping Lending Infrastructure on a New Chain
Sui is one of the fastest-growing Layer 1 ecosystems in crypto, but its DeFi stack is still being built. The protocols that ship early on a new chain become the infrastructure everyone else builds on top of. That raises the stakes. If the base lending layer has a bug, it does not just affect one protocol. It affects everything downstream.
Current Finance is positioning itself as that base layer for leveraged yield on Sui. Before opening the protocol to real capital, the team partnered with Sherlock for a public audit contest to pressure-test the codebase with the widest possible adversarial surface. This case study covers how the contest was structured, what it found, and what the Current Finance team did about it.
The Capital Efficiency Engine for Sui
Current Finance (formerly Pebble) is the capital efficiency engine for Sui DeFi. The protocol brings leveraged yield strategies (up to 9x) to LSTs and yield-bearing assets through one-click Multiply positions, alongside on-chain isolated Margin markets. It is designed to be the layer where capital on Sui works hardest.
At the contract level, Current is a full-featured money market built entirely in Move. It uses cToken accounting with borrow indices and exchange rates, supports E-mode for tighter risk parameters on grouped collateral and borrow assets, and includes flash loans, auto-deleveraging (ADL), liquidity mining, and a referral system. Price feeds route through an x_oracle wrapper backed by Pyth.
Current is permissioned where it counts. Only whitelisted coin types can be listed, and liquidation execution is gated behind a capability system that restricts it to authorized bots. That reflects a deliberate design philosophy around operational control, and it directly shaped the threat model for the audit.
Not Solidity, Not EVM: Auditing in Move
Sherlock's researcher network includes deep expertise across Move and the Sui execution model, and that mattered here. Current's lending codebase had already completed private audits with two of the Sui ecosystem's audit partners before reaching Sherlock, but the vulnerabilities that matter most in a system like this tend to live in the gaps between components, not in the components themselves.
Move is a resource-oriented programming language originally developed at Meta for the Diem blockchain and later adopted by Sui. Where Solidity gives developers raw flexibility and leaves safety to the auditor, Move encodes ownership and linearity into the type system itself. Assets cannot be accidentally duplicated or silently dropped. Reentrancy, the bug class behind some of the largest exploits in DeFi history, is structurally impossible.
That does not mean Move contracts are safe by default. The language eliminates certain failure modes but introduces others. Arithmetic overflow behaves differently than on EVM. Resource lifecycle management is more explicit, and getting it wrong can lock funds permanently. And Sui's programmable transaction blocks (PTBs) allow multi-step atomic compositions that create interaction patterns most EVM auditors have never encountered.
The scope spanned approximately 4,500 nSLOC across the full protocol surface: math libraries, lending entry points, market internals, oracle integration, liquidation and ADL paths, reward distribution, and rate limiting.
Where the Risk Lived
Current Finance had already completed two private audits with Sui ecosystem audit partners by the time the engagement with Sherlock began. Those reviews covered the codebase at the module level. But Current is a lending protocol, and the team watched Aave, the most battle-tested lending protocol in Web3, choose a Sherlock audit contest as their final security check before shipping V4 to mainnet. Rather than reinventing the wheel, Current followed the same playbook. It paid off.
The risk surface mapped to where Current's design was most novel or most complex. The liquidation pipeline needed oracle pricing, health factor checks, and collateral seizure math to behave consistently under a single pricing model. The reward system needed arithmetic around accrual, distribution, and pool lifecycle to remain safe across real-world configurations. The rate limiter needed to correctly net inflows against outflows across rolling time segments. And deposit and borrow caps needed accounting logic that cleanly separated protocol reserves from user deposits.
These were the invariants that mattered. The contest was structured to test them.
Why Sherlock, Why a Conditional Contest
Current Finance chose Sherlock's conditional audit contest model. In a conditional contest, the prize pool scales with the highest severity validated, so researchers are incentivized to find what actually matters rather than padding submission counts. That structure aligned with what Current needed: signal over volume.
The decision to go public rather than run another private audit reflected where the protocol sat in its security lifecycle. Current had already invested in private review. What it needed next was breadth. A contest with over a thousand participants provides coverage that no fixed-roster audit team can match, and for a Move-based protocol where the security researcher pool with deep Sui expertise is still developing, that breadth was especially valuable.
Sherlock's judging infrastructure also played a role. With 1,220 submissions arriving across 10 days, accurate triage and severity classification were essential.
10 Days, 4,500 Lines, Full Protocol Surface
The contest ran for 10 days, from March 6 through March 16, 2026.
Scope covered the entire protocol: math libraries, all lending entry points (deposit, withdraw, borrow, repay, flash loan, liquidation), market internals (interest, reserves, obligations, E-mode, ADL, rate limiting), the liquidity mining and reward manager system, the referral module, and the x_oracle integration with Pyth. Approximately 4,500 nSLOC in Move.
The audited commit was 8a250918, with all fixes landing in the final commit dcbb7285.
What the Contest Found
The contest drew 1,220 total submissions across the full 10-day window.
Current's codebase had already passed through two private audits with: neither caught what Sherlock's researchers found. Across 1,220 submissions, the contest surfaced vulnerabilities in Current's most security-critical subsystems that had survived every prior round of review. That is what adversarial breadth at scale is designed to do.
Summary of Results:
- Highs: 2
- Mediums: 4
- Lows / Informational: 4
The Current Finance team moved quickly. All high-severity findings and most mediums were resolved in the codebase before the final commit was signed off. Two medium findings were formally acknowledged by the team. Issues were verified during a formal fix review period, with Sherlock confirming that each remediation closed the original finding without introducing new risk.
Under the Hood: The Findings That Mattered
High 1: Oracle Inconsistency in the Liquidation Pipeline
The liquidation flow used EMA pricing to determine whether a position qualified for liquidation, then switched to spot pricing when calculating how much collateral the liquidator received. During a fast price recovery, where spot runs ahead of the lagging EMA, a whitelisted liquidation bot could qualify a position under the stale EMA view and seize collateral at the higher spot value, even though the borrower was solvent at market price.
The protocol already had the right safety check in place for borrow and withdraw operations, a function that reverts when EMA and spot diverge beyond tolerance. The liquidation path had simply not been brought under the same standard. Current resolved this by unifying oracle handling across all health-critical paths.
High 2: Arithmetic Overflow Permanently Freezing Lending Operations
A multiply-before-divide overflow in the reward manager could permanently freeze all lending operations for an affected coin type. The intermediate product of total_rewards * time_passed_ms exceeded Move's safe arithmetic bounds before the normalizing division could execute. Because the abort happened before the timestamp was updated, every subsequent call encountered a larger time delta, making the deadlock irrecoverable. No admin function could break the cycle.
The thresholds were routine: a 500,000 USDC reward program over 30 days would trigger after just 10 hours of pool inactivity. Every deposit, withdrawal, borrow, repay, and liquidation for that coin type would permanently revert, and undercollateralized positions could not be liquidated. Current resolved this by reordering the arithmetic to divide before multiplying.
The Mediums
Cross-segment limiter netting failure. The rate limiter could be gamed by borrowing near a segment boundary and repaying immediately after rollover, keeping daily caps artificially exhausted with only temporary capital at risk. Acknowledged by the team.
Double subtraction of cash_reserve in the deposit limit check. The deposit cap function subtracted the protocol's reserve twice, allowing deposits to exceed configured limits by an amount that grew as the protocol collected more fees. Fixed.
ADL triggering on global debt instead of per-group debt. Auto-deleveraging checked total reserve debt rather than per-E-mode-group debt, allowing healthy positions in one group to be force-liquidated based on borrowing in another. Fixed.
Expired reward pool close refunding accrued borrower yield. The pool close path treated zero materialized user trackers as proof that no rewards were owed, but borrowers already active before a campaign was created accrued rewards through global share accounting without ever materializing a tracker. Acknowledged by the team.
Conclusion
Current Finance invested in security well before this engagement began. Multiple rounds of private auditing preceded the public contest, and the team treated Sherlock's involvement as a deliberate expansion of their security surface, not a replacement for what came before.
The contest validated that approach. Sherlock's researchers surfaced 10 findings, including two highs that would have had direct impact on user funds in production. Both emerged from how protocol components interacted under realistic conditions, the kind of vulnerabilities that individual module review is least likely to catch. The mediums reinforced that pattern across rate limiting, deposit caps, ADL logic, and reward lifecycle management.
Every actionable finding was resolved before the final commit was signed off. Remediations were verified during a formal fix review, and Sherlock confirmed that each fix closed the original issue cleanly.
Sui's DeFi ecosystem is still early, and the protocols that ship securely now will define the infrastructure that everything else builds on. Current Finance took that responsibility seriously, and Sherlock is proud to have supported the effort.
Secure Your Protocol with Sherlock
Sherlock is the complete lifecycle security provider for leading Web3 protocols, offering protection from early development to live code. Tell us what stage you're in and we'll help you from there.
