https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/9aeb82e8-6e23-435f-bd36-6f1915d4dae4.jpg

0xbepresent

Security Researcher

Bug hunter at @code4rena, @sherlockdefi & @codehawks □∧◯

Contact Me

High

26

Total

Medium

1

Solo

17

Total

$23.57K

Total Earnings

#331 All Time

52x

Payouts

regular

7x

Top 10

regular

24x

Top 25

regular

39x

Top 50

All

Sherlock

Code4rena

CodeHawks

Jul '24

LoopFi

LoopFi

1,200.82 USDC • Code4rena • 0xbepresent

#17

Apr '24

NOYA

NOYA

25.94 USDC + NOYA stars • Code4rena • 0xbepresent

#72

Mar '24

DittoETH

DittoETH

3,392.29 USDC • Code4rena • 0xbepresent

#6

Jan '24

Salty.IO

Salty.IO

126.64 USDC • Code4rena • 0xbepresent

#62

Dec '23

stake.link

stake.link

874.73 USDC • 4 total findings • CodeHawks • 0xbepresent

#7

high

A user can steal an already transfered and bridged reSDL lock because of approval

medium

A user can lose funds in `sdlPoolSecondary` if tries to add more sdl tokens to a lock that has been queued to be completely withdrawn

low

Audit Report for SDLPool.sol - Scalability Concern

low

Updates from the `secondary pool` to the `primary pool` may not be sent because there are `no rewards` for the secondary pool

Ethereum Credit Guild

Ethereum Credit Guild

260.29 USDC • Code4rena • 0xbepresent

#46

Nov '23

Nouns Builder

Nouns Builder

21.94 USDC • 1 total finding • Sherlock • 0xbepresent

#9

high

The `Token::updateFounders()` func does not remove the previous founders, which leads to them being able to claim tokens from the DAO

Oct '23

Party Protocol

Party Protocol

199.93 USDC • Code4rena • 0xbepresent

#23

The Wildcat Protocol

The Wildcat Protocol

350.76 USDC • Code4rena • 0xbepresent

#27

Sep '23

Allo V2

Allo V2

340.37 USDC • 5 total findings • Sherlock • 0xbepresent

#21

high

The `QVSimpleStrategy.maxVoiceCreditsPerAllocator` can be evaded by the allocator causing that he can allocate infinite credits to the same recipient

high

Malicious registrant can front-run `RFPSimpleStrategy._allocate()` in order to change the `proposalBid` and get a bigger payout in the distribution

medium

The `RFPSimpleStrategy._registerRecipient()` does not work when the strategy was created using the `useRegistryAnchor=true` causing that nobody can register to the pool

medium

Error in counting the `allocator.voiceCreditsCastToRecipient` causing the `recipient` to have more votes and get the majority of the pool

medium

Pool's strategies does not support `fee on transfer` tokens causing an error in the counting system

DittoETH

DittoETH

470.44 USDC • 3 total findings • CodeHawks • 0xbepresent

#20

medium

User can create small position after exit with bid

medium

Primary short liquidation can not be completed in the last hour of the liquidation timeline

low

Malicious trader can intentionally obtain `dittoMatchedShares` in some edges cases

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

718.68 USDC • Code4rena • 0xbepresent

#35

Cooler Update

Cooler Update

45.40 USDC • 3 total findings • Sherlock • 0xbepresent

#14

high

Lender can block loan repayments using malicious `Callback` contract causing the collateral lost

medium

The `rollLoan()` function must be called only by the borrower

medium

Malicious lender can make the borrower to pay non-agreed interests via frontrunning attack

Sparkn

Sparkn

390.19 USDC • 4 total findings • CodeHawks • 0xbepresent

#11

high

The same signature can be used in different `distribution` implementation causing that the caller who owns the signature, can distribute on unauthorized implementations

low

Signature missing nonce & expiration deadline

low

Centralization Risk for trusted organizers

low

Organizers are not incentivized to deploy and distribute to winners causing that winners may not to be rewarded for a long time and force the protocol owner to manage the distribution

Arbitrum Security Council Election System

Arbitrum Security Council Election System

36.16 USDC • Code4rena • 0xbepresent

#20

PoolTogether V5: Part Deux

PoolTogether V5: Part Deux

624.23 USDC • Code4rena • 0xbepresent

#12

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

184.64 USDC • 10 total findings • CodeHawks • 0xbepresent

#21

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

Borrower can use Refinance to cancel auctions so they can extend their loan indefinitely

high

During refinance() new Pool balance debt is subtracted twice

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Using forged/fake lending pools to steal any loan opening for auction

high

Attacker can steal a loan's collateral and break the protocol

high

Fee on transfer tokens will cause users to lose funds

high

The `borrow` and `refinance` functions can be front-run by the pool lender leading to collateral being seized in the next block

medium

The `borrow` and `refinance` functions can be front-run by the pool lender to set high interest rates

medium

Malicious lender can increment the loan interest using the auction process

Tokemak

Tokemak

172.68 USDC • 4 total findings • Sherlock • 0xbepresent

#38

high

An attacker can steal `native` token from the `LMPVaultRouterBase` contract due `LMPVaultRouterBase::deposit()` malfunction

high

`Destination` vault rewards will be lost if the `swap` action in the `LMPVault::withdraw()` get more assets than the anticipated

high

The `AbstractRewarder::queueNewRewards()` will transfer from the caller the incorrect rewards amount causing the liquidation process may be stuck and the vaults' rewarder not to receive rewards

high

Rewards will not be distributed to the vault's rewarder due a malfunction in `LiquidationRow::_performLiquidation()`

PoolTogether

PoolTogether

473.59 USDC • Code4rena • 0xbepresent

#32

Jun '23

Unstoppable

Unstoppable

1,022.86 USDC • 3 total findings • Sherlock • 0xbepresent

#8

high

The `Vault.reduce_position()` function does not increment the account's margin `Vault.margin[account][debt_token]`

medium

The `Vault._update_debt()` function should be executed before admin sets new interest rate via `Vault.set_variable_interest_parameters()`

medium

The `Vault._to_usd_oracle_price()` function uses the same `ORACLE_FRESHNESS_THRESHOLD` for all token prices feeds which is incorrect

Hubble Exchange

Hubble Exchange

884.81 USDC • 3 total findings • Sherlock • 0xbepresent

#10

high

A malicious `vUSD` withdrawal receiver can cause a DOS in the `vUSD.processWithdrawals()` function

medium

`Chainlink.latestRoundData()` may return stale results

medium

Malicious actor can flood the `vUSD` withdrawals causing a single user to spend a lot of gas when processing their withdrawal via `MarginAccountHelper.withdrawFromInsuranceFund()` or `MarginAccountHelper.removeMarginInUSD()`

May '23

Venus Protocol Isolated Pools

Venus Protocol Isolated Pools

248.74 USDC • Code4rena • 0xbepresent

#33

Apr '23

JOJO Exchange

JOJO Exchange

1,316.66 USDC • 1 total finding • Sherlock • 0xbepresent

#12

medium

When the `JUSDBank.withdraw()` is to another internal account the `ReserveInfo.isDepositAllowed` is not validated

Teller

Teller

1,229.23 USDC • 4 total findings • Sherlock • 0xbepresent

#6

high

Malicious lender can block borrower repayment causing the borrower default

high

Malicious lender can assign his own commitment to another victim lender

high

Malicious borrower can block liquidations causing the lender to receive neither the settlement amount nor the collateral

medium

If the loan is into default, an attacker can force to the lender to receive the collateral instead the settlement amount

Frankencoin

Frankencoin

22.6 USDC • Code4rena • 0xbepresent

#66

Caviar Private Pools

Caviar Private Pools

36.98 USDC • Code4rena • 0xbepresent

#59

Mar '23

Asymmetry contest

Asymmetry contest

90.98 USDC • Code4rena • 0xbepresent

#54

Polynomial Protocol contest

Polynomial Protocol contest

254.1 USDC • Code4rena • 0xbepresent

#21

Wenwin contest

Wenwin contest

148.64 USDC • Code4rena • 0xbepresent

#22

Feb '23

Ethos Reserve contest

Ethos Reserve contest

443.53 USDC • Code4rena • 0xbepresent

#25

OpenQ

OpenQ

278.61 USDC • 4 total findings • Sherlock • 0xbepresent

#24

high

The ```DepositManagerV1.sol::fundBountyToken()``` must accept only whitelisted tokens.

high

User claim is compromised if the deposited NFT is refunded by the funder.

high

The first assigned winner can close the competition via ```ClaimManagerV1.sol::permissionedClaimTieredBounty()``` even when the other winners are not assigned yet.

medium

```tokenAddresses``` count is not decreased on refunds causing a limitation in deposits.

Jan '23

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

40.31 USDC • Code4rena • 0xbepresent

#54

Drips Protocol contest

Drips Protocol contest

1,910.76 USDC • Code4rena • 0xbepresent

#6

Astaria contest

Astaria contest

1,331.31 USDC • Code4rena • 0xbepresent

#15

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

78.26 USDC • Code4rena • 0xbepresent

#49

Dec '22

GoGoPool contest

GoGoPool contest

2,138.26 USDC • Code4rena • 0xbepresent

#11

Tigris Trade contest

Tigris Trade contest

271.93 USDC • Code4rena • 0xbepresent

#35

Escher contest

Escher contest

29.65 USDC • Code4rena • 0xbepresent

#61

Nov '22

Redacted Cartel contest

Redacted Cartel contest

193.05 USDC • Code4rena • 0xbepresent

#28

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

525.25 USDC • Code4rena • 0xbepresent

#27

Debt DAO contest

Debt DAO contest

141.94 USDC • Code4rena • 0xbepresent

#37

Oct '22

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

11.52 USDC • Code4rena • 0xbepresent

#34

Inverse Finance contest

Inverse Finance contest

33.63 USDC • Code4rena • 0xbepresent

#45

3xcalibur contest

3xcalibur contest

34.98 USDC • Code4rena • 0xbepresent

#33

Sep '22

QuickSwap and StellaSwap contest

QuickSwap and StellaSwap contest

627.08 USDC • Code4rena • 0xbepresent

#11

VTVL contest

VTVL contest

28.69 USDC • Code4rena • 0xbepresent

#64

PartyDAO contest

PartyDAO contest

86.63 USDC • Code4rena • 0xbepresent

#51

Nouns Builder contest

Nouns Builder contest

60.77 USDC • Code4rena • 0xbepresent

#97

Aug '22

Nouns DAO contest

Nouns DAO contest

52.1 USDC • Code4rena • 0xbepresent

#38

FIAT DAO veFDT contest

FIAT DAO veFDT contest

44.84 USDC • Code4rena • 0xbepresent

#62

Fraxlend (Frax Finance) contest

Fraxlend (Frax Finance) contest

21.17 USDC • Code4rena • 0xbepresent

#70

Foundation Drop contest

Foundation Drop contest

20.6 USDC • Code4rena • 0xbepresent

#67