https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_5.png

0xAlix2

Security Researcher

Contact Me

High

66

Total

Medium

1

Solo

68

Total

$55.16K

Total Earnings

#164 All Time

30x

Payouts

gold

1x

1st Places

silver

4x

2nd Places

bronze

2x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Apr '25

ZKP2P V2

ZKP2P V2

2,170.80 OP • Sherlock • 0xAlix2

#4

Findings not publicly available for private contests.

Cabal Liquid Staking Token

Cabal Liquid Staking Token

863.09 USDC • Code4rena • 0xAlix2

#5

Mar '25

tally-stGOV

tally-stGOV

5,905.51 USDC • 1 total finding • Cantina • 0xAlix2

gold

high

Finding not yet public.

Feb '25

Initia Cosmos

Initia Cosmos

4,259.95 USDC • 2 total findings • Code4rena • 0xAlix2

silver

high

Wrong handling of ERC20 denoms in `ERC20Keeper::BurnCoins`

medium

setBeforeSendHook can never delete an existing store due to vulnerable validate

Jan '25

Liquid Ron

Liquid Ron

0.03 USDC • 1 total finding • Code4rena • 0xAlix2

#10

high

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

infrared-contracts

infrared-contracts

2,240.59 USDC • 4 total findings • Cantina • 0xAlix2

#20

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

Aave v3.3

Aave v3.3

838.54 USDC • Sherlock • 0xAlix2

#31

Initia Rollup Modules

Initia Rollup Modules

12,880 USDC • 3 total findings • Code4rena • 0xAlix2

silver

high

Challenger misses discrepancy events, allowing executors to perform malicious actions

medium

Users can DOS the token deposits for any future bridges

medium

Apply oracle update doesn't check for duplicate validator votes

Nov '24

MANTRA DEX

MANTRA DEX

4,436.61 USDC • 12 total findings • Code4rena • 0xAlix2

bronze

high

Stable swap pools don't properly handle assets with different decimals, forcing LPs to receive wrong shares

high

User cannot claim rewards or close_position, due to vulnerable division by zero handling

high

Protocol allows creating broken tricrypto CPMM pools

high

Logical error in `validate_fees_are_paid` can cause a DoS or allow users to bypass fees if `denom_creation_fee` includes multiple coins including `pool_creation_fee` and the user attempts to pay all fees using only `pool_creation_fee`

high

Multi-token stableswap pools allow 0 liquidity for tokens, creating bricked pools

high

Block gas limit can be hit due to loop depth

high

Farms can be created to start in past epochs

medium

`compute_offer_amount` floors the `offer_amount` when simulating constant product reversed swaps, leading to unexpected results

medium

`query_reverse_simulation` doesn't account for extra fees when simulating stable reversed swaps

medium

Single sided liquidity can't be used to lock LP tokens in the farm manager

medium

Penalty fees can be shared among future farms or expired farms, risks of exploits

medium

`withdraw_liquidity` lacks slippage protection

Oct '24

Kleidi

Kleidi

511.15 USDC • 1 total finding • Code4rena • 0xAlix2

#7

medium

Wrong handling of call data check indices, forcing it sometimes to revert

LoopFi

LoopFi

4,505.89 USDC • 14 total findings • Code4rena • 0xAlix2

silver

high

`decreaseLever` uses incorrect position address when withdrawing

high

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

high

`CDPVault.sol#liquidatePositionBadDebt()` does correctly handle profit and loss

medium

PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

medium

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

medium

`PoolAction::_balancerExit` returns wrong token out amount

medium

`PositionAction4626::_onDecreaseLever` wrongly updates `tokenOut` forcing user's funds to be stuck in the position action contract

medium

`PoolAction::updateLeverJoin` wrongly updates `assetsIn` array, leading to `PositionAction4626::_onIncreaseLever` to always revert

medium

`PositionAction4626::increaseLever` will always revert

medium

`SwapAction::getSwapToken` will return wrong swap token for balancer EXACT_OUT swaps

medium

Wrong repayment amount used in `PositionAction::_repay`, forcing users to unexpectedly lose funds

medium

Invalid handling of risdual amount in `PositionAction::onCreditFlashLoan`, forcing it to revert

medium

Invalid handling of flash loan fees in `PositionAction::onCreditFlashLoan`, forcing it to always revert

Sep '24

Saffron Lido Vaults

Saffron Lido Vaults

284.56 USDC • 1 total finding • Sherlock • 0xAlix2

bronze

medium

`LidoVault::vaultEndedWithdraw` doesn't take into consideration income withdrawals before slashing, blocking variable users from withdrwing their income

Flayer

Flayer

808.78 USDC • 8 total findings • Sherlock • 0xAlix2

#20

high

Users can't reclaim their votes after canceling a collection shutdown process

high

`Listings::relist` wrongly resolves the listings tax for liquidation listings, allowing users to steal other users' paid tax

high

`Listings::relist` is not reseting the listing's created date, allowing users to bypass listing fees

high

`Locker::isListing` doesn't check if the token is unlocked and pending withdrawal, allowing users to steal unlocked tokens

high

Users can cancel listings even after having them being reserved

medium

Wrong comparison value used in `UniswapImplementation::beforeSwap` forcing swaps to revert

medium

Price limit is used as the price range in internal swaps, causing swap TXs to revert

medium

`CollectionShutdown::execute` is not resetting `shutdownVotes`, blocking future shutdown processes

Aug '24

ZeroLend One

ZeroLend One

500.98 USDC • 7 total findings • Sherlock • 0xAlix2

#19

high

`PositionBalanceConfiguration::getSupplyBalance` returns shares instead of assets, forcing curated vault depositors to lose funds

high

Total shares is wrongly subtracted when minting to treasury, blocking users from withdrawing their funds

high

Wrong debt amount used in `LiquidationLogic::_calculateDebt`, causing liquidation to always result in wrong results

high

Supply pool reserves are not updated on an early stage, leading to incorrect calculations of shares and fees

high

`LiquidationLogic::_repayDebtTokens` is wrongly setting `nextDebtShares` to the burnt shares, messing up all loans accumulated debt

medium

Profit is transferred to the treasury without checking if there's enough balance, blocking users from withdrawing their funds

medium

Using the same heartbeat for multiple price feeds, causing DOS

Sentiment V2

Sentiment V2

5.68 USDC • 1 total finding • Sherlock • 0xAlix2

#45

medium

Super pool uses `ERC20.approve` instead of safe approvals, causing it to always revert on some ERC20s

Jul '24

LoopFi

LoopFi

4,064.64 USDC • 14 total findings • Code4rena • 0xAlix2

#5

high

`decreaseLever` uses incorrect position address when withdrawing

high

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

high

`CDPVault.sol#liquidatePositionBadDebt()` does correctly handle profit and loss

medium

PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

medium

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

medium

`PoolAction::_balancerExit` returns wrong token out amount

medium

`PositionAction4626::_onDecreaseLever` wrongly updates `tokenOut` forcing user's funds to be stuck in the position action contract

medium

`PoolAction::updateLeverJoin` wrongly updates `assetsIn` array, leading to `PositionAction4626::_onIncreaseLever` to always revert

medium

`PositionAction4626::increaseLever` will always revert

medium

`SwapAction::getSwapToken` will return wrong swap token for balancer EXACT_OUT swaps

medium

Wrong repayment amount used in `PositionAction::_repay`, forcing users to unexpectedly lose funds

medium

Invalid handling of risdual amount in `PositionAction::onCreditFlashLoan`, forcing it to revert

medium

Invalid handling of flash loan fees in `PositionAction::onCreditFlashLoan`, forcing it to always revert

MakerDAO Endgame

MakerDAO Endgame

953.46 USDC • Sherlock • 0xAlix2

#60

Jun '24

Size

Size

2,548.02 USDC • 6 total findings • Code4rena • 0xAlix2

#13

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

high

When `sellCreditMarket()` is called to sell credit for a specific cash amount, the protocol might receive a lower swapping fee than expected.

medium

Fragmentation fee is not taken if user compensates with newly created position

medium

Borrower is not able to compensate his lenders if he is underwater

medium

Credit can be sold forcibly as `forSale` setting can be ignored via Compensate

medium

withdraw() users may can't withdraw underlyingBorrowToken properly

May '24

YOLO Games

YOLO Games

198.3 USDC • 1 total finding • Cantina • 0xAlix2

#14

medium

Finding not yet public.

Apr '24

NOYA

NOYA

4,693.24 USDC + NOYA stars • 24 total findings • Code4rena • 0xAlix2

silver

high

`BalancerConnector::_getPositionTVL` is calculated incorrectly

high

`Registry.sol#updateHoldingPosition` remove position logic is incorrect: should use `ownerConnector` instead of `calculatorConnector` when calculating holdingPositionId.

high

`SNXConnector.sol` TVL calculation is incorrect.

high

`AccountingManager::resetMiddle` will not behave as expected

high

`PendleConnector` incorrectly sends the redeemed `PT` tokens to the market instead of the

high

Incomplete TVL Calculation in `AerodromeConnector::_getPositionTVL` Function.

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

high

`NoyaValueOracle.getValue` returns an incorrect price when a multi-token route is used

high

Invalid handling of holding positions in `DolomiteConnector::transferBetweenAccounts`

high

Invalid calculation of position TVL in Pendle connector

high

Numerous errors when calculating the TVL for the MorphoBlue connector

high

In Dolomite, when opening a borrow position, the holding position in the Registry will never be updated due to the removePosition flag being set to true

high

It is possible to open insolvent position is Silo connector, due to missing check in borrow function

high

SiloConnector `_getPositionTVL` miscalculate the TVL position

medium

`CurveConnector.sol#depositIntoConvexBooster` does not keep track of TVL if `stake == false`

medium

The `TVLHelper.sol#getTVL` function is DOSed by the `under collateralized connector`, and as a result, many parts of the protocol may be DOS.

medium

The total deposit amount limit in `AccountingManager.sol` can be bypassed

medium

The modifier `onlyExistingRoute` works incorrectly

medium

Attacker can increase the length of `withdrawQueue` by withdrawing 0 amount of tokens frequently

medium

Incorrect Return Value in `CompoundConnector.getBorrowBalanceInBase()` Affecting TVL Calculation

medium

Missing calls to `_updateTokenInRegistry` leads to incorrect state of tokens in registry

medium

Incorrect modifier condition

medium

FullMath libabry is missing `unchecked` blocks, leading to DOS protocol's TVL and UniswapValueOracle

medium

Registry deletes liquidity positions without verifying complete withdrawal.

DYAD

DYAD

86.3 USDC • 7 total findings • Code4rena • 0xAlix2

#64

high

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

high

User can get their Kerosene stuck because of an invalid check on withdraw

high

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

medium

Value of kerosene can be manipulated to force liquidate users

medium

Incorrect deployment / missing contract will break functionality

medium

No incentive to liquidate when CR <= 1 as asset received < dyad burned

Mar '24

Revert Lend

Revert Lend

943.63 USDC • 5 total findings • Code4rena • 0xAlix2

#12

high

Owner of a position can prevent liquidation due to the 'onERC721Received' callback

medium

dailyDebtIncreaseLimitLeft is not updated in liquidate().

medium

Tokens can't be removed as a collateral without breaking liquidations and other core functions

medium

V3Oracle susceptible to price manipulation

medium

Repayments and liquidations can be forced to revert by an attacker that repays miniscule amount of shares

Feb '24

AI Arena

AI Arena

116.3 USDC • 7 total findings • Code4rena • 0xAlix2

#52

high

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

high

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

high

FighterFarm:: reroll won't work for nft id greator than 255 due to input limited to uint8

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Jan '24

Salty.IO

Salty.IO

27.49 USDC • 4 total findings • Code4rena • 0xAlix2

#104

high

When borrowers repay USDS, it is sent to the wrong address, allowing anyone to burn Protocol Owned Liquidity and build bad debt for USDS

high

User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated

medium

Adversary can prevent updating price feed addresses by creating poisonous proposals ending in `_confirm`

medium

Remove Liquidity has missing reserve1 DUST check, which can make reserve1 to be less than DUST

reNFT

reNFT

496.28 USDC • Code4rena • 0xAlix2

#19

Dec '23

Ethereum Credit Guild

Ethereum Credit Guild

323.56 USDC • 2 total findings • Code4rena • 0xAlix2

#41

high

Anyone can steal all distributed rewards

medium

Re-triggering the `canOffboard[term]` flag to bypass the DAO vote of the lending term offboarding mechanism

Nov '23

Convergence

Convergence

271.99 USDC • 1 total finding • Sherlock • 0xAlix2

#13

medium

Positions that have `veCVG` amount block users from extending their lock amount/time in the last cycle

Oct '23

NextGen

NextGen

0.08 USDC • 1 total finding • Code4rena • 0xAlix2

#113

high

Attacker can reenter to mint all the collection supply

Ethena Labs

Ethena Labs

166.32 USDC • 1 total finding • Code4rena • 0xAlix2

#22

medium

Soft Restricted Staker Role can withdraw stUSDe for USDe

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

61.91 USDC • 6 total findings • CodeHawks • 0xAliX2

#61

high

Borrower can use Refinance to cancel auctions so they can extend their loan indefinitely

high

During refinance() new Pool balance debt is subtracted twice

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Using forged/fake lending pools to steal any loan opening for auction

high

Stealing any loan opening for auction through others' lending pool

medium

Malicious lender can increment the loan interest using the auction process