https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/91706934-20cd-4240-8ac7-078c53a05d0a.jpeg

0xc0ffEE

Security Researcher

Contact Me

High

1

Solo

43

Total

Medium

49

Total

$38.92K

Total Earnings

#216 All Time

55x

Payouts

gold

2x

1st Places

silver

4x

2nd Places

bronze

3x

3rd Places

All

Sherlock

Code4rena

CodeHawks

Immunefi

Apr '25

ZKP2P V2

ZKP2P V2

672.40 OP • Sherlock • 0xc0ffEE

#5

Findings not publicly available for private contests.

Aegis.im YUSD

Aegis.im YUSD

139.83 OP • 1 total finding • Sherlock • 0xc0ffEE

bronze

medium

Redeem limit is not updated when request redeem is rejected or withdrawn

Mar '25

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

230.83 USDC • Sherlock • 0xc0ffEE

#6

Crestal Network

Crestal Network

0.01 USDC • 1 total finding • Sherlock • 0xc0ffEE

#12

high

Users approved funds can be stolen

Audit Comp | Yeet

Audit Comp | Yeet

4,002 USDC • 7 total findings • Immunefi • trtrth

#4

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

low

Finding not yet public.

low

Finding not yet public.

low

Finding not yet public.

Symmio, Staking and Vesting

Symmio, Staking and Vesting

0.00 USDC • 1 total finding • Sherlock • 0xc0ffEE

#18

medium

Reward rate can be dilute

Feb '25

Yieldoor

Yieldoor

11.40 USDC • 1 total finding • Sherlock • 0xc0ffEE

#27

medium

Strategy is DoS due to incorrect ticks of secondary position

Rova

Rova

1,178.25 USDC • 1 total finding • Sherlock • 0xc0ffEE

silver

medium

Users tokens are wrongly validated and updated

Jan '25

Plaza Finance

Plaza Finance

1,129.79 USDC • 7 total findings • Sherlock • 0xc0ffEE

#11

high

Unable to end an successful auction

high

Exchange rates are vulnerable to collateral level changes

high

Incorrect price returned from `BondOracleAdapter` contract

medium

Users will lose funds in BalancerRouter when PreDeposit reaches cap

medium

Bond holders can not redeem as expected

medium

Market rate can not be used in token redemption flow

medium

An attacker can grief the auction

Aave v3.3

Aave v3.3

2,357.89 USDC • Sherlock • 0xc0ffEE

#19

FlatMoney v2 Update

FlatMoney v2 Update

342.25 USDC • Sherlock • 0xc0ffEE

#9

Findings not publicly available for private contests.

Dec '24

Mach Finance

Mach Finance

615.38 USDC • 1 total finding • Sherlock • 0xc0ffEE

gold

medium

Stale price from Pyth Oracle can be used

SecondSwap

SecondSwap

136.58 USDC • 4 total findings • Code4rena • 0xc0ffEE

#23

high

`SecondSwap_Marketplace` vesting listing order affects how much the vesting buyers can claim at a given step

high

Users can claim more that their actual allotment

medium

Users can prevent being reallocated by listing to marketplace

medium

Listing potential can not be purchased with discounted price

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

25.47 OP • 5 total findings • Sherlock • 0xc0ffEE

#23

high

Attacker can drain funds by duplicating an order

high

Modifying order after filled can drain contract funds

high

Funds can be drained by fake swaps

high

User allowance can be stolen

medium

Wrong stale price check in Pyth integration

Rain - Collateral Contract V2

Rain - Collateral Contract V2

3,887.76 USDC • Sherlock • 0xc0ffEE

silver

Findings not publicly available for private contests.

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

229.70 USDC • 2 total findings • Sherlock • 0xc0ffEE

#18

high

Vote buyers will have to pay more fees than expected

medium

Slashing penalty can be mitigated by unvouching

Extra Finance

Extra Finance

1,665.90 OP • Sherlock • 0xc0ffEE

bronze

Findings not publicly available for private contests.

Chiliz Chain System Contracts

Chiliz Chain System Contracts

1,057.10 USDC • Sherlock • 0xc0ffEE

#6

Findings not publicly available for private contests.

Debita Finance V3

Debita Finance V3

5,913.00 USDC • 4 total findings • Sherlock • 0xc0ffEE

silver

high

Lenders and borrowers can not claim liquidation token after NFT collateral auction sold

medium

Borrowers will have to pay overhead fee for extending loans

medium

Borrowers can not extend loans which has maximum duration less than 24 hours

medium

Borrowers can still do many restricted actions with veNFT

Oct '24

Usual V1

Usual V1

1,013.20 USDC • 1 total finding • Sherlock • 0xc0ffEE

bronze

high

Fee could be lost in withdraw flow

Mento x Good$ Integration

Mento x Good$ Integration

507.28 USDC • 1 total finding • Sherlock • 0xc0ffEE

silver

medium

G$ expanded supply can be significantly less than expected

Audit Comp | Anvil

Audit Comp | Anvil

294 USDT • 1 total finding • Immunefi • trtrth

#10

medium

Finding not yet public.

Sep '24

Liquid Staking

Liquid Staking

5,667.24 USDC • 7 total findings • CodeHawks • trtrth

gold

high

No LSTs transfer on node operator withdrawals resulting in stuck funds and loss for node operators

medium

Chainlink automation Upkeep can not function because of improper integration

medium

Griefer can permanently DOS all the deposits to the `StakingPool`

medium

Vault fee receivers can conditionally block rewards distribution flow

low

No way to update unbonding and claim periods

low

The total amount to be distributed can be manipulated

low

Incorrect update for state variable `sharesSinceLastUpdate` in contract `PriorityPool`

Staking

Staking

32.26 USDC • CodeHawks • trtrth

#34

Flayer

Flayer

1,030.75 USDC • 7 total findings • Sherlock • 0xc0ffEE

#15

high

Collection token will get locked after shutdown cancellation

high

Voters will be blocked from claiming liquidation share

high

Liquidation shares will be drained by re-starting a shutdown

high

Liquidation shares will be drained due to unsafe typecasting

medium

Fee exemption logic work incorrectly

medium

Fulfill wrong token side in the before swap hook

medium

Fund stuck because fail to refund ETH when initializing collection

Aug '24

Phi

Phi

38.04 USDC • 5 total findings • Code4rena • 0xc0ffEE

#29

high

Reentrancy Vulnerability Allows Bypass of Cooldown, Leading to Unfair Reward Extraction Through Flash Loan

high

Exposed `_removeCredIdPerAddress` & `_addCredIdPerAddress` allows anyone to cause issues to current holders as well as upcoming ones

medium

Refunds sent to incorrect addresses in certain cases

medium

Incorrect Fee Handling Prevents Protocol from Updating Fees

medium

Attacker can DOS user from selling shares of a credId

ZeroLend One

ZeroLend One

619.04 USDC • 6 total findings • Sherlock • 0xc0ffEE

#16

high

Can not withdraw assets from Pool because of treasury accrued shares

high

A lender can get more vault shares than expected

high

Incorrect total debt amount to calculate interest rate

high

Liquidation does not take into account the interest

medium

Reallocation will be blocked if trying to withdraw all from a market

medium

Users can not set status for `useReserveAsCollateral`

Jul '24

LoopFi

LoopFi

538.54 USDC • 3 total findings • Code4rena • 0xc0ffEE

#23

medium

In `PositionActionPendle::_onDecreaseLever`, `tokenOut` is implemented incorrectly.

medium

PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.

medium

Unclaimed Rewards Handling Issue in `AuraVault` Contract Functions (`AuraVault::deposit`, `AuraVault::mint`, `AuraVault::withdraw`, `AuraVault::redeem`)

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

1.87 USDC • 1 total finding • Sherlock • 0xc0ffEE

#61

high

Can not cast vote after bribes registered

Jun '24

Vultisig

Vultisig

1,334.29 USDC • 1 total finding • Code4rena • 0xc0ffEE

#4

high

Adversary can prevent the launch of any ILO pool with enough raised capital at any moment by providing single-sided liquidity

Jan '24

Curves

Curves

6.46 USDC • 4 total findings • Code4rena • 0xc0ffEE

#90

high

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

Sep '23

Allo V2

Allo V2

164.78 USDC • 3 total findings • Sherlock • 0xc0ffEE

#38

medium

QVSimpleStrategy contract does not work with native token

medium

Voice credits cast to recipient is incorrectly accounted in QVBaseStrategy contract

medium

Can not create a pool by cloning strategies on zkSync network

Aug '23

Dopex

Dopex

0.08 USDC • 2 total findings • Code4rena • 0xc0ffEE

#125

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

44.92 USDC • 8 total findings • CodeHawks • trtrth

#74

high

Lender contract can be drained by re-entrancy in `setPool`

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

Borrower can use Refinance to cancel auctions so they can extend their loan indefinitely

high

During refinance() new Pool balance debt is subtracted twice

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Stealing any loan opening for auction through others' lending pool

high

Token spending by Uniswap router doesn't get approved

gas

Save gas for collecting protocol fees and interests

Mar '23

Asymmetry contest

Asymmetry contest

11.13 USDC • 1 total finding • Code4rena • 0xc0ffEE

#113

medium

Stuck ether when use function `stake` with empty `derivatives`(`derivativeCount` = 0)

Feb '23

Surge

Surge

3.65 USDC • 1 total finding • Sherlock • 0xc0ffEE

#22

high

An early malicious depositor can manipulate issuance of shares to steal users deposited loan token

Dec '22

GoGoPool contest

GoGoPool contest

9.93 USDC • 1 total finding • Code4rena • 0xc0ffEE

#80

high

Hijacking of node operators minipool causes loss of staked funds

Nov '22

LooksRare Aggregator contest

LooksRare Aggregator contest

187.67 USDC • 1 total finding • Code4rena • 0xc0ffEE

#18

medium

call opcode's return value not checked.

SIZE contest

SIZE contest

52.83 USDC • 1 total finding • Code4rena • 0xc0ffEE

#31

medium

Incompatibility with fee-on-transfer/inflationary/deflationary/rebasing tokens, on both base tokens and quote tokens, with varying impacts

Oct '22

Inverse Finance contest

Inverse Finance contest

0.38 USDC • 1 total finding • Code4rena • 0xc0ffEE

#50

medium

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Blur Exchange contest

Blur Exchange contest

2,552.63 USDC • 2 total findings • Code4rena • 0xc0ffEE

#8

high

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

medium

Protocol can be easily rug-pulled by the owner

Sep '22

VTVL contest

VTVL contest

9.09 USDC • Code4rena • 0xc0ffEE

#80

Y2k Finance contest

Y2k Finance contest

52.8 USDC • Code4rena • 0xc0ffEE

#50

Nouns Builder contest

Nouns Builder contest

140.96 USDC • 1 total finding • Code4rena • 0xc0ffEE

#66

medium

Index out of bounds error when properties length is more than attributes length breaks minting

Aug '22

Sentiment

Sentiment

219.53 USDC • 1 total finding • Sherlock • 0xc0ffEE

#22

medium

can not repay native token

Nouns DAO contest

Nouns DAO contest

16.66 USDC • Code4rena • 0xc0ffEE

#44

Fraxlend (Frax Finance) contest

Fraxlend (Frax Finance) contest

21.17 USDC • Code4rena • 0xc0ffEE

#70

Foundation Drop contest

Foundation Drop contest

13.17 USDC • 1 total finding • Code4rena • 0xc0ffEE

#68

medium

NFT of NFT collection or NFT drop collection can be locked when calling _mint or mintCountTo function to mint it to a contract that does not support ERC721 protocol

Mimo August 2022 contest

Mimo August 2022 contest

106.78 USDC • Code4rena • 0xc0ffEE

#34

Rigor Protocol contest

Rigor Protocol contest

21.72 USDC • Code4rena • 0xc0ffEE

#73

Jul '22

Golom contest

Golom contest

35.17 USDC • Code4rena • 0xc0ffEE

#86

Jun '22

Putty contest

Putty contest

482.41 USDC • 3 total findings • Code4rena • 0xc0ffEE

#30

medium

`fillOrder()` and `exercise()` may lock Ether sent to the contract, forever

medium

Putty position tokens may be minted to non ERC721 receivers

medium

The contract serves as a flashloan pool without fee

Nibbl contest

Nibbl contest

28.28 USDC • Code4rena • 0xc0ffEE

#62

Yieldy contest

Yieldy contest

54.61 USDC • Code4rena • 0xc0ffEE

#62

May '22

Forgotten Runes Warrior Guild contest

Forgotten Runes Warrior Guild contest

15.49 USDC • Code4rena • 0xc0ffEE

#57