Banner
https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/8c34e13d-6622-427a-933a-e1764cb5c98a.jpg

0xStalin

Smart Contract Security Researcher

Let the code do the talking, you just listen and catch bugs ;) | Found +100 H/M | 40+ audits

Contact Me

High

40

Total

Medium

2

Solo

46

Total

$109.74K

Total Earnings

#79 All Time

37x

Payouts

gold

1x

1st Places

silver

2x

2nd Places

bronze

4x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Jan '25

silo-contracts-v2

silo-contracts-v2

8,437.53 USDC • 3 total findings • Cantina • 0xStalin

#8

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Dec '24

Idle Finance Credit Vaults

Idle Finance Credit Vaults

2,711.60 USDC • Sherlock • 0xStalin

bronze

Findings not publicly available for private contests.

SecondSwap

SecondSwap

162.37 USDC • 3 total findings • Code4rena • 0xStalin

#21

high

In `transferVesting`, the `grantorVesting.releaseRate` is calculated incorrectly, which leads to the sender being able to unlock more tokens than were initially locked.

medium

Incorrect referral fee calculations

medium

Missing option to remove tokens from the `isTokenSupport` mapping can result in huge financial loss for users and the protocol

Oct '24

Flow

Flow

1,781.67 USDC • 1 total finding • CodeHawks • 0xstalin

#4

low

It is possible to avoid paying the `protocolFee`

Sep '24

MorphL2

MorphL2

6,523.16 USDC • 2 total findings • Sherlock • 0xStalin

#5

medium

Stakers who are part of the sequencerSet and exit on the L1 may not be able to claim the comissions of the last epoch(s) when they were active

medium

Delegators can lose their rewards when a delegator has removed a delegatee and claims all of his rewards before delegating again to a previous removed delegatee.

Aug '24

ZeroLend One

ZeroLend One

500 USDC • Sherlock • 0xStalin

#45

Axelar Network

Axelar Network

0 USDC • Code4rena • 0xStalin

#9

Jul '24

Zaros Part 1

Zaros Part 1

8,745.97 USDC • 12 total findings • CodeHawks • 0xstalin

gold

high

Positive PnL is lost for all parties when liquidating an account, potentially causing that the MarginCollateralRecipient ends up receiving way less USD value than what it could have received.

high

Market Disruption and Financial Loss Post-Liquidation

high

Wrong parameter passed in `TradingAccount::deductAccountMargin` function that results in excess margin withdrawal

medium

Insufficient checks to confirm the correct status of the sequencerUptimeFeed

medium

A malicious User can DOS all offchain orders making them unexecutable and leaving the protocol in an insolvent state. Also all offchain Trades can also be DOSed for honest parties that do not meet the fillorder requirements (no try and catch)

medium

Liquidating positions of different accounts for the same market on the same block.timestamp uses the same fundingFeePerUnit regardless of the computed MarkPrice based on the size of the position been liqudiated.

low

QA Report - 0xStalin - Low Severities

low

Functions calling `verifyReport` to verify offchain prices from chainlink will fail

low

Deleting CollateralTypes from the CollateralLiquidationPriority allows traders to be liquidated for free and getting back their full collateral as if they were not liquidated.

low

UpgradeBranch.sol does not use _disableInitializers()

low

Missing expiration check in `Data Streams` report validation allows the use of expired report data

low

When transfering the NFT associated to a TradingAccount, the old owner can grief the new owner by leaving an opened MarketOrder that will be executed even though the old owner is not the owner of the TradingAccount.

Jun '24

Size

Size

1,478.05 USDC • 6 total findings • Code4rena • 0xStalin

#22

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

high

When `sellCreditMarket()` is called to sell credit for a specific cash amount, the protocol might receive a lower swapping fee than expected.

medium

Fragmentation fee is not taken if user compensates with newly created position

medium

Credit can be sold forcibly as `forSale` setting can be ignored via Compensate

medium

Users can not to buy/sell minimum credit allowed due to exactAmountIn condition

medium

LiquidateWithReplacement does not charge swap fees on the borrower

Apr '24

Panoptic

Panoptic

3,402.78 USDC • 2 total findings • Code4rena • 0xStalin

#8

high

`SettleLongPremium` is incorrectly implemented: premium should be deducted instead of added

medium

Wrong leg `chunkKey` calculation in `haircutPremia` function

Mar '24

Copra Finance

Copra Finance

981.27 USDC • Sherlock • 0xStalin

#4

Findings not publicly available for private contests.

Feb '24

Wise Lending

Wise Lending

21,136.58 USDC • 5 total findings • Code4rena • 0xStalin

silver

high

Wrong use of nftID to check if a Power farm position is an Aave position

high

Incorrect bad debt accounting can lead to a state where the `claimFeesBeneficial` function is permanently bricked and no new incentives can be distributed, potentially locking pending and future protocol fees in the `FeeManager` contract

medium

Borrowers can DoS liquidations by repaying as little as 1 share.

medium

Withdrawing uncollateralized deposits is possible even though the position is in liquidation mode

medium

Exiting a farm on mainnet assumes a peg of 1:1 when swapping stETH for ETH

Jan '24

Curves

Curves

17.33 USDC • 4 total findings • Code4rena • 0xStalin

#78

high

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

Dec '23

Ethereum Credit Guild

Ethereum Credit Guild

4,673.1 USDC • 5 total findings • Code4rena • 0xStalin

bronze

high

The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting

high

The creation of bad debt (`mark-down` of Credit) can force other loans in auction to also create bad debt

medium

Repayers using EOA accounts can be affected if baddebt is generated when they are repaying loans

medium

Replay attack to suddenly offboard the re-onboarded lending term

medium

LendingTerm::debtCeiling() can return wrong debt as the min() is evaluated incorrectly

Nov '23

metamorpho-and-periphery

metamorpho-and-periphery

8,074.06 USDC • 1 total finding • Cantina • 0xStalin

bronze

medium

Finding not yet public.

Oct '23

Ethena Labs

Ethena Labs

4.52 USDC • Code4rena • 0xStalin

#40

The Wildcat Protocol

The Wildcat Protocol

290.62 USDC • 4 total findings • Code4rena • 0xStalin

#30

high

Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want

high

Borrower has no way to update `maxTotalSupply` of `market` or close market.

medium

Protocol markets are incompatible with rebasing tokens

medium

Blocked accounts keep earning interest contrary to the WhitePaper

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

7,750.98 USDC • 4 total findings • Code4rena • 0xStalin

silver

high

if the Virtual Account's owner is a Contract Account (multisig wallet), attackers can gain control of the Virtual Accounts by gaining control of the same owner's address in a different chain

medium

Incorrect source address decoding in RootBridgeAgent and BranchBridgeAgent's _requiresEndpoint breaks LayerZero communication

medium

Depositors could lost all their depositted tokens (including the hTokens) if their address is blacklisted in one of all the depositted underlyingTokens

medium

If RootBridgeAgent.lzReceiveNonBlocking reverts internally, the native token sent by relayer to RootBridgeAgent is left in RootBridgeAgent

Centrifuge

Centrifuge

1,486.01 USDC • 1 total finding • Code4rena • 0xStalin

#7

medium

Investors claiming their maxDeposit by using the LiquidityPool.deposit() will cause that other users won't be able to claim their maxDeposit/maxMint

Ondo Finance

Ondo Finance

974.6 USDC • 1 total finding • Code4rena • 0xStalin

#10

medium

Admin can't burn tokens from blocklisted addresses because of a check in _beforeTokenTransfer

Aug '23

veRWA

veRWA

4.23 USDC • Code4rena • 0xStalin

#53

PoolTogether V5: Part Deux

PoolTogether V5: Part Deux

1,121.02 USDC • 2 total findings • Code4rena • 0xStalin

#7

high

`rngComplete` function should only be called by `rngAuctionRelayer`

medium

Liquidators can be tricked to operate with LiquidationPairs that were deployed using the LiquidationPairFactory but they configured the LiquidationSource as a fake malicious contract

Jul '23

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

37.93 USDC • 1 total finding • CodeHawks • 0xstalin

#55

medium

High - Funds can be lost if any participant is blacklisted

PoolTogether

PoolTogether

4,022.18 USDC • 5 total findings • Code4rena • 0xStalin

bronze

high

Increasing reserves breaks PrizePool accounting

high

Delegated amounts can be forcefully removed from anyone in the TwabController

high

`Vault.mintYieldFee` FUNCTION CAN BE CALLED BY ANYONE TO MINT `Vault Shares` TO ANY RECIPIENT ADDRESS

medium

Silent overflow could alter computation when calculating the vaultPortion in the PrizePool contract

medium

`VaultFactory` allows deployment of vaults with non-authentic `TwabController` and `PrizePool`

Tapioca DAO

Tapioca DAO

4,428.18 USDC • 6 total findings • Code4rena • 0xStalin

#17

high

[HD05] Magnetar contract has no approval checking

high

Ability to steal user funds and increase collateral share infinitely in BigBang and Singularity

high

Tokens can be stolen from other users who have approved Magnetar

high

Anybody can buy collateral on behalf of other users without having any allowance using the multiHopBuyCollateral()

high

User's assets can be stolen when removing them from the Singularity market through the Magnetar contract

medium

`MagnetarV2#burst` double counts `msg.value` for `TOFT_WRAP` operation, making the transaction revert unless the user overpays

Jun '23

Unstoppable

Unstoppable

212.81 USDC • 2 total findings • Sherlock • 0xStalin

#18

high

In the Vault contract, the _update_debt_() function doesn't accrue interests even though the debt_token has outsanding debt

medium

Executing DCA Orders can fall in a permanent DoS for fee-on-transfer tokens & tokens implementing the approval race condition

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

13,507.62 USDC • 5 total findings • Code4rena • 0xStalin

#5

high

Incorrectly reading the offset from the received data parameter to get the depositNonce in the BranchBridgeAgent::anyFallback() function

high

Accessing the incorrect offset to get the nonce when flag is 0x06 in RootBridgeAgent::anyExecute() will lead to mark as executed incorrect nonces and could potentially cause a DoS

high

Multiple issues with decimal scaling will cause incorrect accounting of hTokens and underlying tokens

high

Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation.

medium

Inconsistently reading the encoded parameters received in the _sParams argument in the BranchBridgeAgent::clearTokens()

Iron Bank

Iron Bank

0.00 USDC • 1 total finding • Sherlock • 0xStalin

#25

medium

Chainlink's latestRoundData return stale or incorrect result is not validated

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

0.88 USDC • 5 total findings • Sherlock • 0xStalin

#81

high

An Attacker can steal all the collateral by abusing the rebalance function and causing imbalances on the Uniswap Pool

high

Incorrectly calculation of the price in the StableOracleDAI Contract returns the price scaled up by an incorrect magnitude

high

Using incorrect addresses to initialize the Oracles

high

No deadline and no slippage protection when doing swaps to rebalance the pool

medium

Chainlink's latestRoundData return stale or incorrect result is not validated

Index

Index

3,204.44 USDC • 3 total findings • Sherlock • 0xStalin

#5

high

Not using eMode's risk parameters configurations to calculate the maxBorrow/repayAmount when eMode is activated

medium

Using a deprecated Chainlink function to pull the asset's price from the Chainlink Oracle

medium

Functions implementing the `invokeApprove()` of the Invoke Library could revert for non-standard token like USDT

Juicebox Buyback Delegate

Juicebox Buyback Delegate

321.72 USDC • Code4rena • 0xStalin

#12

Venus Protocol Isolated Pools

Venus Protocol Isolated Pools

2,930.4 USDC • 3 total findings • Code4rena • 0xStalin

#7

medium

`RiskFund.swapPoolsAsset` does not allow user to supply deadline, which may cause swap revert

medium

Borrower can cause a DoS by frontrunning a liquidation and repaying as low as 1 wei of the current debt

medium

Bad Debt in PoolLens.sol#getPoolBadDebt() is not calculated correctly in USD

Ajna Protocol

Ajna Protocol

570.75 USDC • 2 total findings • Code4rena • 0xStalin

#20

high

RewardsManager fails to validate `pool_` when updating exchange rates allowing rewards to be drained

medium

Unsafe casting from `uint256` to `uint128` in RewardsManager

Footium

Footium

1.15 USDC • 2 total findings • Sherlock • 0xStalin

#30

medium

No use of _safeMint() as safe guard for users when minting a new ClubNFT

medium

Use a safe transfer helper library for ERC20 transfers

Apr '23

JOJO Exchange

JOJO Exchange

219.99 USDC • 1 total finding • Sherlock • 0xStalin

#35

medium

Swapping the liquidated collateral for USDC when running the JOJOFlashloan():FlashLoanLiquidate.sol is susceptible to sandwich attack that could mess up the rewards of the liquidators

Frankencoin

Frankencoin

22.6 USDC • Code4rena • 0xStalin

#66

Rubicon v2

Rubicon v2

0.15 USDC • 1 total finding • Code4rena • 0xStalin

#125

high

Reward accounting is incorrect in BathBuddy contract