https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/8b0ef603-8279-4401-abae-51f98cecb60b.jpg

0xSlowbug

Security Researcher

Hunting for bugs because my life depends on it

Contact Me

High

10

Total

Medium

16

Total

$4.93K

Total Earnings

#793 All Time

8x

Payouts

gold

1x

1st Places

bronze

1x

3rd Places

regular

2x

Top 10

All

Sherlock

Code4rena

Cantina

CodeHawks

May '25

Usual ETH0

Usual ETH0

3,910 USDC • 1 total finding • Sherlock • 0xSlowbug

gold

medium

Invariant Violation: ETH0 Not Fully Backed After Collateral Price Drop Enables Treasury Drain

Apr '25

liquidity-book-vaults

liquidity-book-vaults

86.11 USDC • 4 total findings • Cantina • slowbug

#34

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Feb '25

THORWallet

THORWallet

346.49 USDC • 1 total finding • Code4rena • slowbugmayor

bronze

high

The user can send tokens to any address by using two bridge transfers, even when transfers are restricted.

Virtuals Protocol

Virtuals Protocol

103.19 USDC • 4 total findings • Code4rena • slowbugmayor

#45

medium

Slippage protection in `AgentTax::dcaSell` and `BondingTax::swapForAsset` is calculated at execution time, effectively retrieving the very same price that the trade will be executing at, ultimately providing no protection

medium

`amountOutMin` passed in as 0 in `AgentToken::_swapTax` leads to loss of funds due to slippage

medium

BondingTax has invalid slippage implementation

medium

Missing Slippage Protection On Buy And Sell

Core Contracts

Core Contracts

110.20 usdc • 16 total findings • CodeHawks • 0xslowbug

#131

high

Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract

high

Delegation Boost Not Usable by Delegatees

high

`BaseGauge` users can claim rewards without staking

high

Users Can Overwrite Existing Locks in veRAACToken Resulting in Permanent Loss of Funds

high

`GaugeController` does not send funds to FeeCollector disrupting fees distribution and causing loss of funds

high

Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service

high

Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance

high

Boost Miscalculation Leads to Excess Distribution

medium

`MAX_TOTAL_SUPPLY` Bypass in `veRAACToken` via `increase()` Function

medium

Users Can Lose Funds and Collateral by Repaying Loans After Liquidation Grace Period Expiry

medium

Workingsupply would always be overwritten in boostcontroller.sol impacting reward calculations

medium

Proposal Front-Running via Predictable Salt in `TimelockController::scheduleBatch`

medium

balanceOf(address(this)) in StabilityPool causes reward distribution to be higher than it should be

medium

Unbounded Reward Accrual After Period End Enables Reward Manipulation Attacks

low

Unauthorized Vote Casting Vulnerability

low

Hardcoded Emission Values Lead to Incorrect Reward Calculations

Dec '24

QuantAMM

QuantAMM

0.82 op • 1 total finding • CodeHawks • 0xslowbug

#78

medium

quantAMMSwapFeeTake used for both getQuantAMMSwapFeeTake and getQuantAMMUpliftFeeTake.

SecondSwap

SecondSwap

378.95 USDC • Code4rena • slowbugmayor

#15

Lambo.win

Lambo.win

0 USDC • 1 total finding • Code4rena • slowbugmayor

#36

high

Minting zero tokens when underlyingToken is not Ether in cashIn()