https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/01c7c8e9-e49b-4186-97b7-313e6a71aec2.jpg

0xMosh

Security Researcher

Smart Contract Security Researcher @Code4rena , @SherlockDeFi & @immunefi. Explorer .

Contact Me

High

9

Total

Medium

16

Total

$1.77K

Total Earnings

#1066 All Time

34x

Payouts

bronze

2x

3rd Places

regular

5x

Top 10

regular

13x

Top 25

All

Sherlock

Code4rena

Cantina

CodeHawks

Mar '25

badger-ebtc-bsm

badger-ebtc-bsm

14.85 USDC • 1 total finding • Cantina • Mosh

#36

high

Finding not yet public.

Feb '25

Usual Labs

Usual Labs

94.96 USDC • Sherlock • 0xMosh

#32

THORWallet

THORWallet

0 USDC • 1 total finding • Code4rena • 0xMosh

#10

medium

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Rova

Rova

0.04 USDC • 1 total finding • Sherlock • 0xMosh

bronze

medium

Incorrect Token Amount Tracking in updateParticipation Function

Jan '25

Liquid Ron

Liquid Ron

0 USDC • 1 total finding • Code4rena • 0xMosh

#12

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Ignite

Ignite

243.00 usdc • CodeHawks • mo_

#14

Dec '24

Lambo.win

Lambo.win

0 USDC • 1 total finding • Code4rena • 0xMosh

#36

high

Minting zero tokens when underlyingToken is not Ether in cashIn()

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

58.31 USDC • 2 total findings • Sherlock • 0xMosh

#28

medium

Inconsistent Fee Calculation Leads to pay user more then intended !

medium

Missing Slippage Protection in Vote Selling

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

16.71 USDC • Sherlock • 0xMosh

#53

Telcoin Update #2

Telcoin Update #2

11.73 USDC • Sherlock • 0xMosh

#42

Oct '24

Ethos Network Social Contracts

Ethos Network Social Contracts

45.37 USDC • 1 total finding • Sherlock • 0xMosh

#6

medium

Inadequate Restriction on Compromised Addresses Fails to Protect User Data Integrity

Gamma Brevis Rewarder

Gamma Brevis Rewarder

131.06 OP • 1 total finding • Sherlock • 0xMosh

bronze

high

Early Claimers will lose their rewards for the later valid epochs of a distribution and remaining funds will be locked in the contract forever !

Sep '24

Liquid Staking

Liquid Staking

14.69 USDC • 1 total finding • CodeHawks • mo_

#40

low

Due To The `minWithdrawalAmount` check Users Who Want To Withdraw Wont Be Able To Queue Their Token Withdrawals On Some Amounts

Jun '24

Vultisig

Vultisig

6.78 USDC • 1 total finding • Code4rena • 0xMosh

#31

high

Vultisig whitelisting can be bypassed by anyone

May '24

Munchables

Munchables

0.02 USDC • 2 total findings • Code4rena • 0xMosh

#15

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

high

Invalid validation allows users to unlock early

Apr '24

NOYA

NOYA

0.02 USDC + NOYA stars • 1 total finding • Code4rena • 0xMosh

#122

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

Mar '24

Ondo Finance

Ondo Finance

8.28 USDC • Code4rena • 0xMosh

#17

Feb '24

AI Arena

AI Arena

9.82 USDC • 1 total finding • Code4rena • 0xMosh

#126

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

Jan '24

Avail

Avail

83.79 USDC • Sherlock • 0xMosh

#18

Dec '23

Footium Update

Footium Update

39.98 USDC • Sherlock • 0xMosh

#22

Nov '23

Nouns Builder

Nouns Builder

828.43 USDC • 1 total finding • Sherlock • 0xMosh

#8

medium

Auction contract could be paused maliciously !

Oct '23

Party Protocol

Party Protocol

15.78 USDC • Code4rena • 0xMosh

#32

NextGen

NextGen

0 USDC • 1 total finding • Code4rena • 0xMosh

#115

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Open Dollar

Open Dollar

62.49 USDC • 1 total finding • Code4rena • 0xMosh

#41

medium

Test addresses and incorrect interface in code prevent integration with UniswapV3 and Camelot

Sep '23

Venus Prime

Venus Prime

4.37 USDC • Code4rena • 0xMosh

#39

Allo V2

Allo V2

0.09 USDC • 1 total finding • Sherlock • 0xMosh

#74

medium

Pools will fail to handle fee-on-transfer token accounting accurately

Aug '23

Cooler Update

Cooler Update

0.70 USDC • 1 total finding • Sherlock • 0xMosh

#20

medium

Malicious lender can scam borrower by increasing the interest way too much after loan being issued and take borrower's collateral.

Dopex

Dopex

0.07 USDC • 1 total finding • Code4rena • 0xMosh

#126

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

Sparkn

Sparkn

10.83 USDC • 5 total findings • CodeHawks • mo_

#54

medium

Malicious/Compromised organiser can reclaw all funds, stealing work from supporters

low

If a winner is blacklisted on any of the tokens they can't receive their funds

low

Owner can incorrectly pull funds from contests not yet expired

low

Centralization Risk for trusted organizers

low

Insufficient validation leads to locking up prize tokens forever

Jul '23

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

0.27 USDC • 4 total findings • CodeHawks • mo_

#149

medium

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

medium

Chainlink oracle will return the wrong price if the aggregator hits `minAnswer`

low

Zero address check for tokens

low

Pragma isn't specified correctly which can lead to nonfunction/damaged contract when deployed on Arbitrum

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

40.42 USDC • 3 total findings • CodeHawks • mo_

#51

medium

High - Funds can be lost if any participant is blacklisted

low

Constructor of `Escrow` should make sure that `buyer`, `seller`, `arbiter` are different from each other.

gas

Contract Can Be Deployed Without Funds.

Beam

Beam

0.75 USDC • Sherlock • 0xMosh

#43

May '23

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

15.95 USDC • 1 total finding • Sherlock • 0xMosh

#64

medium

There's no functionalities for redeeming DAI for USSD in the contract.

Juicebox Buyback Delegate

Juicebox Buyback Delegate

16.19 USDC • Code4rena • 0xMosh

#18