https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/13c2ab73-1dbe-47ed-8fab-f0d41cc90cbf.jpg

0xEkko

Security Researcher

Contact Me

High

29

Total

Medium

15

Total

$2.34K

Total Earnings

#1009 All Time

11x

Payouts

silver

1x

2nd Places

regular

2x

Top 10

regular

5x

Top 25

All

Sherlock

Code4rena

Cantina

CodeHawks

Jun '25

DODO Cross-Chain DEX

DODO Cross-Chain DEX

749.44 USDC • 7 total findings • Sherlock • 0xEkko

silver

high

Missing swap-withdrawal validation enables accumulated token drainage

high

Any attacker will steal refund tokens from `GatewayTransferNative` users with failed cross-chain transactions to non-EVM chains

high

Any attacker will steal accumulated ZRC20 tokens from `GatewayTransferNative` contract

medium

Fee calculation bug enables protocol fund drainage or transaction failures

medium

Users withdrawing to Bitcoin will lose funds permanently when transactions fail

medium

ETH Refunds Always Fail Due to Incorrect Transfer Function Usage in `onRevert`

medium

Malicious Attackers Will Cause Denial of Service for Incoming Cross-Chain Transfers via GatewayCrossChain Contract

May '25

LEND

LEND

36.02 USDC • 4 total findings • Sherlock • 0xEkko

#53

high

Cross-Chain Debt Tracking Failure Allows Unlimited Over-Borrowing

high

Cross-Chain Borrowing Non-Atomic Vulnerability with Guaranteed Exploit Window

high

Cross-Chain Repayment Accounting Error

medium

Double Interest Calculation Causes Overly Restrictive Borrowing

Apr '25

mighty-contracts

mighty-contracts

40.44 USDC • 3 total findings • Cantina • 0xEkkoo

#46

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

Mar '25

Crestal Network

Crestal Network

0.01 USDC • 1 total finding • Sherlock • 0xEkko

#12

high

Missing Validation in payWithERC20 Will Allow Unauthorized Token Transfers

Feb '25

size-solidity

size-solidity

171.52 USDC • 1 total finding • Cantina • 0xEkkoo

#4

medium

Finding not yet public.

Core Contracts

Core Contracts

213.32 usdc • 21 total findings • CodeHawks • 0xekkoo

#97

high

Wrong amount is minted to user when they deposit into the lending pool

high

Faulty Gauge Weight Update Formula: Voting Power Delta Not Considered Leading to Arithmetic Underflow and Vote Weight Inconsistency

high

ZENO Token Redemption Returns Negligible USDC Amount Compared to Purchase Price

high

Incorrect decimal handling in `Auction::buy()` leads to massive overpayment for ZENO tokens

high

Users Can Overwrite Existing Locks in veRAACToken Resulting in Permanent Loss of Funds

high

Multiple issues from unnecessary balance increase calculation in DebtToken.mint

high

Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service

high

Users can borrow more assets than they have deposited as collateral

high

Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle

high

RToken is Not Interest Bearing Due to Broken Liquidity Index Calculation

high

Boost Miscalculation Leads to Excess Distribution

high

Interest Accrual Failure Due to Incorrect Scaling in RToken Implementation

high

Ineffective Time-Weighted Average Implementation in Fee Distribution

high

Voting Power Snapshot Missing

high

Users can lose additional collateral by depositing NFTs after grace period expiration

medium

[H-2] Lack of Emergency Pause in `BaseGauge::stake` and `BaseGauge::withdraw

medium

Incorrect utilization rate forces protocol to issue maximum rewards indefinitely

medium

Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

medium

Liquidations are enabled when repayments are disabled, causing borrowers to lose funds without a chance to repay

medium

Workingsupply would always be overwritten in boostcontroller.sol impacting reward calculations

medium

closeLiquidation within LendingPool does not allow partial repayments, which can cause massive losses to users within edge case

Jan '25

dahlia-protocol

dahlia-protocol

1,105.3 USDC • 1 total finding • Cantina • 0xEkkoo

#17

high

Finding not yet public.

Plaza Finance

Plaza Finance

1.42 USDC • 3 total findings • Sherlock • 0xEkko

#93

high

Period Mismatch in Pool-Auction Interaction Will Prevent Reserve Transfer for Successful Auctions

medium

Users Accumulate Bond Shares During Failed Auctions Without USDC Backing

medium

USDC Blocklist Feature Can DOS Auction By Breaking Remove/Refund Logic

Dec '24

SecondSwap

SecondSwap

6.95 USDC • 2 total findings • Code4rena • 0xEkko

#47

high

`SecondSwap_Marketplace` vesting listing order affects how much the vesting buyers can claim at a given step

medium

Rounding error in stepDuration calculations.

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

0.38 USDC • 1 total finding • Sherlock • 0xEkko

#33

high

Double Accounting of Fees will lead to an Inflated marketFunds

Project

Project

13.64 USDC • 1 total finding • CodeHawks • 0xekkoo

#20

low

Lack of Validation for `tierConfigs[i].minted` Value in New Tiers During DAO Membership Update