https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/f368414e-fda4-45ec-a2f9-accc32823129.jpg

0xSmartContract

Security Researcher

|| Smart Contracts 🧭 || Code Review πŸ“„ || Bot in Crypto πŸ€– || Audit πŸ“‡ || c4 Warden 🐺 ||

Contact Me

High

12

Total

Medium

33

Total

$73.00K

Total Earnings

#127 All Time

112x

Payouts

silver

1x

2nd Places

bronze

2x

3rd Places

regular

34x

Top 10

All

Sherlock

Code4rena

Feb '24

AI Arena

AI Arena

216.02 USDC β€’ Code4rena β€’ 0xSmartContract

#27

HydraDX

HydraDX

118.22 USDC β€’ Code4rena β€’ 0xSmartContract

#17

Jan '24

Decent

Decent

186.33 USDC β€’ 2 total findings β€’ Code4rena β€’ 0xSmartContract

#27

high

Due to missing checks on minimum gas passed through LayerZero, executions can fail on the destination chain

high

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

Salty.IO

Salty.IO

39.34 USDC β€’ Code4rena β€’ 0xSmartContract

#96

Curves

Curves

116.28 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#44

high

Unauthorized Access to setCurves Function

Dec '23

Ethereum Credit Guild

Ethereum Credit Guild

892.68 USDC β€’ Code4rena β€’ 0xSmartContract

#17

Nov '23

Shell Protocol

Shell Protocol

44.92 USDC β€’ Code4rena β€’ 0xSmartContract

#10

Panoptic

Panoptic

479.29 USDC β€’ Code4rena β€’ 0xSmartContract

#17

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

288.91 USDC β€’ Code4rena β€’ 0xSmartContract

#10

Kelp DAO | rsETH

Kelp DAO | rsETH

12.29 USDC β€’ Code4rena β€’ 0xSmartContract

#49

Oct '23

Party Protocol

Party Protocol

575.73 USDC β€’ Code4rena β€’ 0xSmartContract

#14

Ethena Labs

Ethena Labs

88.73 USDC β€’ Code4rena β€’ 0xSmartContract

#32

The Wildcat Protocol

The Wildcat Protocol

412.5 USDC β€’ Code4rena β€’ 0xSmartContract

#21

Brahma

Brahma

14.47 USDC β€’ Code4rena β€’ 0xSmartContract

#14

ENS

ENS

85.67 USDC β€’ Code4rena β€’ 0xSmartContract

#12

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

269.01 USDC β€’ Code4rena β€’ 0xSmartContract

#27

Aug '23

Dopex

Dopex

832.85 USDC β€’ Code4rena β€’ 0xSmartContract

#26

Shell Protocol

Shell Protocol

441.46 USDC β€’ Code4rena β€’ 0xSmartContract

#9

veRWA

veRWA

47.92 USDC β€’ Code4rena β€’ 0xSmartContract

#38

Arbitrum Security Council Election System

Arbitrum Security Council Election System

627.26 USDC β€’ Code4rena β€’ 0xSmartContract

#12

PoolTogether V5: Part Deux

PoolTogether V5: Part Deux

556.1 USDC β€’ Code4rena β€’ 0xSmartContract

#14

Tangible Caviar

Tangible Caviar

0.72 USDC β€’ Code4rena β€’ 0xSmartContract

#86

Good Entry

Good Entry

158.78 USDC β€’ Code4rena β€’ 0xSmartContract

#25

Jul '23

Moonwell

Moonwell

69.77 USDC β€’ Code4rena β€’ 0xSmartContract

#35

Amphora Protocol

Amphora Protocol

774.71 USDC β€’ Code4rena β€’ 0xSmartContract

#9

PoolTogether

PoolTogether

135.25 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#53

medium

`VaultFactory` allows deployment of vaults with non-authentic `TwabController` and `PrizePool`

Tapioca DAO

Tapioca DAO

2,276.11 USDC β€’ 2 total findings β€’ Code4rena β€’ 0xSmartContract

#26

medium

Missing deadline checks allow pending transactions to be maliciously executed

medium

Oracle is susceptible to manipulation if deployed on Optimism

Basin

Basin

303.89 USDC β€’ Code4rena β€’ 0xSmartContract

#12

Nouns DAO

Nouns DAO

1,081.39 USDC β€’ Code4rena β€’ 0xSmartContract

#8

Jun '23

Canto

Canto

348.84 USDC β€’ Code4rena β€’ 0xSmartContract

#9

Llama

Llama

730.13 USDC β€’ Code4rena β€’ 0xSmartContract

#9

Stader Labs

Stader Labs

253.86 USDC β€’ Code4rena β€’ 0xSmartContract

#25

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

3,084.68 USDC β€’ 2 total findings β€’ Code4rena β€’ 0xSmartContract

#20

medium

[M-01] Some functions in Talos contracts does not allow user to supply slippage and deadline, which may cause swap revert

medium

Lack of slippage protection can lead to significant loss of user funds

Chainlink Cross-Chain Services: CCIP and ARM Network

Chainlink Cross-Chain Services: CCIP and ARM Network

59.42 USDC β€’ Code4rena β€’ 0xSmartContract

#43

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

0.00 USDC β€’ 3 total findings β€’ Sherlock β€’ 0xSmartContract

#101

high

No slippage protection in `UniV3SwapInput`

high

`mintRebalancer` and `burnRebalancer` functions haven't any access control

medium

Chainlink's latestRoundData might return stale or incorrect results

Juicebox Buyback Delegate

Juicebox Buyback Delegate

16.19 USDC β€’ Code4rena β€’ 0xSmartContract

#18

Venus Protocol Isolated Pools

Venus Protocol Isolated Pools

101.57 USDC β€’ Code4rena β€’ 0xSmartContract

#39

Ajna Protocol

Ajna Protocol

195.42 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#37

high

Claiming accumulated rewards while the contract is underfunded can lead to a loss of rewards

Apr '23

EigenLayer Contest

EigenLayer Contest

90.02 USDC β€’ Code4rena β€’ 0xSmartContract

#24

ENS Contest

ENS Contest

637.07 USDC β€’ Code4rena β€’ 0xSmartContract

#17

Frankencoin

Frankencoin

43.63 USDC β€’ Code4rena β€’ 0xSmartContract

#60

Caviar Private Pools

Caviar Private Pools

506.27 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#17

medium

The `tokenURI` method does not check if the NFT has been minted and returns data for the contract that may be a fake NFT.

Rubicon v2

Rubicon v2

742.78 USDC β€’ Code4rena β€’ 0xSmartContract

#17

Mar '23

Gitcoin

Gitcoin

392.94 USDC β€’ Sherlock β€’ 0xSmartContract

#8

Asymmetry contest

Asymmetry contest

132.8 USDC β€’ Code4rena β€’ 0xSmartContract

#44

Canto Identity Subprotocols contest

Canto Identity Subprotocols contest

278.11 USDC β€’ Code4rena β€’ 0xSmartContract

#13

Polynomial Protocol contest

Polynomial Protocol contest

103.46 USDC β€’ Code4rena β€’ 0xSmartContract

#29

zkSync Era System Contracts contest

zkSync Era System Contracts contest

237.7 USDC β€’ Code4rena β€’ 0xSmartContract

#11

Neo Tokyo contest

Neo Tokyo contest

455.7 USDC β€’ Code4rena β€’ 0xSmartContract

#8

Wenwin contest

Wenwin contest

251.21 USDC β€’ Code4rena β€’ 0xSmartContract

#18

Aragon Protocol contest

Aragon Protocol contest

774.31 USDC β€’ Code4rena β€’ 0xSmartContract

#8

Feb '23

Ethos Reserve contest

Ethos Reserve contest

764.26 USDC β€’ Code4rena β€’ 0xSmartContract

#20

Fair Funding by Alchemix & Unstoppable

Fair Funding by Alchemix & Unstoppable

107.05 USDC β€’ 1 total finding β€’ Sherlock β€’ 0xSmartContract

#7

medium

`is_operator`architecture is wrong

Jan '23

Popcorn contest

Popcorn contest

384.79 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#42

medium

Fee on transfer token not supported

Canto Identity Protocol contest

Canto Identity Protocol contest

915.39 CANTO β€’ Code4rena β€’ 0xSmartContract

#6

Numoen contest

Numoen contest

1,042.54 USDC β€’ Code4rena β€’ 0xSmartContract

#10

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

230.95 USDC β€’ Code4rena β€’ 0xSmartContract

#21

Drips Protocol contest

Drips Protocol contest

254.8 USDC β€’ Code4rena β€’ 0xSmartContract

#10

Timeswap contest

Timeswap contest

1,678.01 USDC β€’ Code4rena β€’ 0xSmartContract

#10

Cooler

Cooler

0.30 USDC β€’ 1 total finding β€’ Sherlock β€’ 0xSmartContract

#30

high

Use safeTransferFrom() instead of transferFrom() for ERC20 transfers

OpenSea Seaport 1.2 contest

OpenSea Seaport 1.2 contest

310.43 USDC β€’ Code4rena β€’ 0xSmartContract

#7

Ondo Finance contest

Ondo Finance contest

735.46 USDC β€’ Code4rena β€’ 0xSmartContract

#9

Reserve contest

Reserve contest

1,126.63 USDC β€’ Code4rena β€’ 0xSmartContract

#18

Astaria contest

Astaria contest

616.5 USDC β€’ Code4rena β€’ 0xSmartContract

#24

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

1,208.86 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#7

medium

SmartAccount.sol is intended to be upgradable but inherits from contracts that contain storage and no gaps

Dec '22

Papr contest

Papr contest

394.79 USDC β€’ Code4rena β€’ 0xSmartContract

#18

GoGoPool contest

GoGoPool contest

1,198.27 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#23

high

Inflation of ggAVAX share price by first depositor

Caviar contest

Caviar contest

1,222.8 USDC β€’ Code4rena β€’ 0xSmartContract

#6

Tigris Trade contest

Tigris Trade contest

1,223.44 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#17

medium

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

prePO contest

prePO contest

840.61 USDC β€’ Code4rena β€’ 0xSmartContract

#10

Escher contest

Escher contest

624.4 USDC β€’ Code4rena β€’ 0xSmartContract

#12

PoolTogether contest

PoolTogether contest

795.08 USDC β€’ Code4rena β€’ 0xSmartContract

#7

Maverick contest

Maverick contest

1,432.53 USDC β€’ Code4rena β€’ 0xSmartContract

#5

Nov '22

ParaSpace contest

ParaSpace contest

882.55 USDC β€’ Code4rena β€’ 0xSmartContract

#26

Canto contest

Canto contest

758.1 CANTO β€’ Code4rena β€’ 0xSmartContract

#6

Redacted Cartel contest

Redacted Cartel contest

1,058.24 USDC β€’ 2 total findings β€’ Code4rena β€’ 0xSmartContract

#16

high

Malicious Users Can Drain The Assets Of Auto Compound Vault

high

Underlying assets stealing in `AutoPxGmx` and `AutoPxGlp` via share price manipulation

Bull v Bear

Bull v Bear

306.83 USDC β€’ 1 total finding β€’ Sherlock β€’ 0xSmartContract

#10

high

Missing ReEntrancy Guard to `withdrawToken` function

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

2,322.49 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#12

medium

Cross-chain replay attacks are possible withΒ `deployLPToken`

Blur Exchange contest

Blur Exchange contest

1,193.9 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

bronze

medium

Hacked owner or malicious owner can immediately steal all assets on the platform

LooksRare Aggregator contest

LooksRare Aggregator contest

5,205.96 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

silver

medium

It is clearly stated that timelock is used, but this does not happen in the codes

SIZE contest

SIZE contest

73.96 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#28

medium

Incompatibility with fee-on-transfer/inflationary/deflationary/rebasing tokens, on both base tokens and quote tokens, with varying impacts

Debt DAO contest

Debt DAO contest

691.09 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#26

medium

Mistakenly sent eth could be locked

Sense

Sense

2,352.73 USDC β€’ 2 total findings β€’ Sherlock β€’ 0xSmartContract

bronze

high

First `ERC4626` deposit exploit can break share calculation

medium

Vulnerability related to β€˜Optimizer Bug Regarding Memory Side Effects of Inline Assembly’

Oct '22

zkSync v2 contest

zkSync v2 contest

2,102.32 USDC β€’ Code4rena β€’ 0xSmartContract

#5

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

391.01 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#14

medium

Pausing `WardenPledge` contract, which takes effect immediately, by its owner can unexpectedly block pledge creator from calling `closePledge` or `retrievePledgeRewards` function

Inverse Finance contest

Inverse Finance contest

691.21 USDC β€’ Code4rena β€’ 0xSmartContract

#14

NFTPort

NFTPort

1,324.75 USDC β€’ 1 total finding β€’ Sherlock β€’ 0xSmartContract

#7

medium

Missing ReEntrancy Guard to `mint` function

Holograph contest

Holograph contest

771.29 USDC β€’ Code4rena β€’ 0xSmartContract

#15

3xcalibur contest

3xcalibur contest

570.47 USDC β€’ Code4rena β€’ 0xSmartContract

#13

Juicebox contest

Juicebox contest

367.96 USDC β€’ Code4rena β€’ 0xSmartContract

#15

Trader Joe v2 contest

Trader Joe v2 contest

2,351.98 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#10

medium

Very critical `Owner` privileges can cause complete destruction of the project in a possible privateKey exploit

The Graph L2 bridge contest

The Graph L2 bridge contest

1,054.18 USDC β€’ Code4rena β€’ 0xSmartContract

#8

Blur Exchange contest

Blur Exchange contest

83.13 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#21

medium

Hacked owner or malicious owner can immediately steal all assets on the platform

Sep '22

QuickSwap and StellaSwap contest

QuickSwap and StellaSwap contest

466.16 USDC β€’ 2 total findings β€’ Code4rena β€’ 0xSmartContract

#14

medium

A "FrontRunning attack" can be made to the `initialize` function

medium

`safeTransfer` function does not check for existence of ERC20 token contract

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

91.75 USDC β€’ 2 total findings β€’ Code4rena β€’ 0xSmartContract

#31

medium

Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter

medium

frxETHMinter: Non-conforming ERC20 tokens not recoverable

VTVL contest

VTVL contest

265.65 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#25

medium

Reentrancy may allow an admin to steal funds

Art Gobblers contest

Art Gobblers contest

6,785.46 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#4

medium

Possible centralization issue around RandProvider

Harpie

Harpie

121.37 USDC β€’ 2 total findings β€’ Sherlock β€’ 0xSmartContract

#13

medium

Transactions can be made by paying 0 fee

medium

Instead of call(), transfer() is used for the withdraw mechanism

Y2k Finance contest

Y2k Finance contest

52.8 USDC β€’ Code4rena β€’ 0xSmartContract

#50

PartyDAO contest

PartyDAO contest

375.53 USDC β€’ Code4rena β€’ 0xSmartContract

#17

FEI and TRIBE Redemption contest

FEI and TRIBE Redemption contest

33.58 USDC β€’ Code4rena β€’ 0xSmartContract

#14

Canto Dex Oracle contest

Canto Dex Oracle contest

210.46 CANTO β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#9

medium

Hackers can deploy token with respective name as the stable one to impersonate the stable token

Nouns Builder contest

Nouns Builder contest

489.18 USDC β€’ 2 total findings β€’ Code4rena β€’ 0xSmartContract

#37

medium

`Token:mint`: infinite loop if the founders' shares sum up to 100

medium

The quorum votes calculations don't take into account burned tokens

Aug '22

Olympus DAO contest

Olympus DAO contest

248.18 USDC β€’ Code4rena β€’ 0xSmartContract

#45

Nouns DAO contest

Nouns DAO contest

1,124.43 USDC β€’ 1 total finding β€’ Code4rena β€’ 0xSmartContract

#9

medium

Loss of Veto Power can Lead to 51% Attack

FIAT DAO veFDT contest

FIAT DAO veFDT contest

15 USDC β€’ Code4rena β€’ 0xSmartContract

#70

Fraxlend (Frax Finance) contest

Fraxlend (Frax Finance) contest

108.73 USDC β€’ Code4rena β€’ 0xSmartContract

#27

Foundation Drop contest

Foundation Drop contest

73 USDC β€’ Code4rena β€’ 0xSmartContract

#37

Mimo August 2022 contest

Mimo August 2022 contest

40.74 USDC β€’ Code4rena β€’ 0xSmartContract

#42

Rigor Protocol contest

Rigor Protocol contest

62.38 USDC β€’ Code4rena β€’ 0xSmartContract

#62

Jul '22

Axelar Network v2 contest

Axelar Network v2 contest

56.13 USDC β€’ Code4rena β€’ 0xSmartContract

#43

Golom contest

Golom contest

129.83 USDC β€’ Code4rena β€’ 0xSmartContract

#73