https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/e7378220-9ba3-47e1-8f34-03452c2967b4.jpg

0xaxaxa

Security Researcher

Contact Me

High

12

Total

Medium

8

Total

$10.80K

Total Earnings

#530 All Time

9x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

regular

7x

Top 10

All

Sherlock

Mar '25

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

256.38 USDC • Sherlock • 0xaxaxa

#4

Feb '25

Usual Labs

Usual Labs

3,161.42 USDC • Sherlock • 0xaxaxa

#7

Yieldoor

Yieldoor

54.84 USDC • 4 total findings • Sherlock • 0xaxaxa

#14

high

`initCollateralUsd` is incorrectly set when opening a leveraged position.

high

Collecting Fees from `vestPosition` May Revert Due to Incorrect `tickUpper` Usage

medium

Incorrect `modulo` Calculation in `Strategy._setSecondaryPositionsTicks` When `tick < 0`

medium

The `Leverager.withdraw()` Function Incorrectly Utilizes `amountOut0` Instead of `amountOut1` to Determine `repayFromWithdraw`

Jan '25

Aave v3.3

Aave v3.3

5,552.74 USDC • Sherlock • 0xaxaxa

#9

Dec '24

Ethos Reputation Market Fix Review Contest

Ethos Reputation Market Fix Review Contest

144.76 USDC • 1 total finding • Sherlock • 0xaxaxa

silver

medium

Incorrect rounding in the `_calcCost` function.

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

824.10 OP • 10 total findings • Sherlock • 0xaxaxa

#4

high

Attackers can drain the `OracleLess` contract by creating an order with a `malicious tokenIn` and executing it with a `malicious target`.

high

The `execute()` function should reset the approved amount for the `target` to 0 at the end.

high

The `AutomationMaster.generateOrderId()` function does not guarantee the generation of a unique `orderId`.

high

The `_cancelOrder()` function removes the `orderId` solely from the `pendingOrderIds` array, but does not remove it from the `orders` mapping.

high

Reentrancy attack in the `OracleLess` contract.

high

In the `oracleLess` contract, when an order is created, `tokenIn` is transferred from the `recipient`, which exposes it to potential attacks.

high

Attackers can drain the `StopLimit` contract.

medium

The `execute()` function should utilize `forceApprove` instead of `safeApprove`.

medium

Incorrect staleness check in the `PythOracle.currentValue()` function.

medium

A `DoS` attack that makes order removal impossible in the `OracleLess` contract, causing all funds to become stuck.

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

130.79 USDC • 4 total findings • Sherlock • 0xaxaxa

#22

high

Unfair fee calculation in the `ReputationMarket._calculateBuy()` function.

high

Incorrect modification of `marketFunds` in the `ReputationMarket.buyVotes()` function.

medium

Improper fee mechanism in the `EthosVouch.applyFees()` function.

medium

Absence of slippage protection in the `ReputationMarket.sellVotes()` function.

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

578.45 USDC • Sherlock • 0xaxaxa

#10

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • 0xaxaxa

gold

high

The `claim()` function can be front-run, resulting in the potential loss of all funds.