https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/406189b4-b13c-4704-b205-0095e1e0a46a.jpg

0xdeadbeef

Security Researcher

Web3 security researcher. Finding bugs at Code4rena, Sherlock, Secure3, The Saloon and whitehat @Immunefi Open for private audits - 2cbf49ba9d

Contact Me

High

28

Total

Medium

3

Solo

51

Total

$160.38K

Total Earnings

#57 All Time

37x

Payouts

gold

3x

1st Places

silver

3x

2nd Places

bronze

4x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Immunefi

Mar '25

IOTA EVM

IOTA EVM

Collaborative Audit • Sherlock • 0xdeadbeef

Sep '24

Boost Core Incentive Protocol

Boost Core Incentive Protocol

9,924.12 USDC • 3 total findings • Sherlock • 0xdeadbeef

#10

high

Inability to claim from Raffle based ERC20 Incentive will permanently lock funds.

medium

Boost creator will prevent protocol from receiving claim fee

medium

Using weird tokens such as rebasing tokens are not supported

Aug '24

Sentiment V2

Sentiment V2

92.45 USDC • 2 total findings • Sherlock • 0xdeadbeef

#35

medium

Malicious actor will prevent or increase price of super pool creation.

medium

Malicious actor will prevent reallocation of funds by super pool owner.

Jun '24

Orderly Network

Orderly Network

20,488.93 USDC • Sherlock • 0xdeadbeef

silver

Findings not publicly available for private contests.

Apr '24

FairSide Network

FairSide Network

23,872.17 USDC • Sherlock • 0xdeadbeef

gold

Findings not publicly available for private contests.

Mar '24

Optimism Fault Proofs

Optimism Fault Proofs

3,203.02 USDC • 1 total finding • Sherlock • 0xdeadbeef

#6

medium

Maliciously claiming root for a large l2 block number will prevent additional creation of the game

Seismic Finance

Seismic Finance

1,221.41 USDC • Sherlock • 0xdeadbeef

bronze

Findings not publicly available for private contests.

Feb '24

Audit Comp | Puffer Finance

Audit Comp | Puffer Finance

6,390 USDC • 3 total findings • Immunefi • OxDEADBEEF

bronze

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Jan '24

Blast

Blast

19,339.96 USDC • 3 total findings • Cantina • 0xdeadbeef

#19

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

Nov '23

morpho-blue

morpho-blue

3,410.62 USDC • 1 total finding • Cantina • 0xdeadbeef

#9

high

Finding not yet public.

Sep '23

Vyper - Compiler

Vyper - Compiler

5,150.52 USDC • 1 total finding • CodeHawks • 0xdeadbeef

#6

medium

`RawCall` builtin function allows passing a value in unsupported calls

Allo V2

Allo V2

603.66 USDC • 6 total findings • Sherlock • 0xdeadbeef

#12

high

RFP Recipient can steal funds by toggling the pool activity state

high

RFP recipient can steal pool funds without supplying all milestones by re-registering before allocation

medium

RFP payment cannot be fulfilled because of a validation in `_distribute`

medium

Incorrect caching of previous credits in `_qv_allocate` result in amplified voting result

medium

Funding using a fee-on-transfer token will prevent payments

medium

Users cannot claim tokens in `DonationVotingMerkleDistributionVaultStrategy` if fee-on-transfer tokens are used.

Jul '23

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

11.16 USDC • 2 total findings • CodeHawks • 0xdeadbeef

#77

medium

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

low

Unbounded Loops Found in DSCEngine.sol can lead to DoS of liquidations

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

2,560.57 USDC • 2 total findings • CodeHawks • 0xdeadbeef

gold

medium

[H-01] Lack of emergency withdraw function when no arbiter is set

medium

Fixed `i_arbiterFee` can prevent payment

Tokemak

Tokemak

408.66 USDC • 3 total findings • Sherlock • 0xdeadbeef

#32

high

Incorrect handling of `ETH/WETH` causes the `LMPVaultRouterBase` to use double pull the funds of the user

high

Malicious actor can steal rewards because rewards are not updated prior to staking

medium

`GPToke` staking cap will prevent withdrawals

Jun '23

GLIF

GLIF

12,586.69 USDC • Sherlock • 0xdeadbeef

gold

Findings not publicly available for private contests.

May '23

BASE

BASE

813.4 USDC • Code4rena • 0xdeadbeef0x

bronze
Eco Protocol

Eco Protocol

2,018.64 USDC • 1 total finding • Sherlock • 0xdeadbeef

silver

high

Malicious actor cause rebase to an old inflation multiplier

Apr '23

GMX Update

GMX Update

5,566.32 USDC • 1 total finding • Sherlock • 0xdeadbeef

#7

high

Limit Swap orders are still delayed by a block

Mar '23

Optimism Update

Optimism Update

5,878.09 USDC • 1 total finding • Sherlock • 0xdeadbeef

#6

medium

Malicious actor can prevent migration by calling a non-existing function in `OVM_L2ToL1MessagePasser` and making `ReadWitnessData` return an error

Feb '23

GMX

GMX

5,769.10 USDC • 5 total findings • Sherlock • 0xdeadbeef

#6

high

Byte slicing corrupts data length - keepers funds will be drained by expensive memory expansion

high

Incomplete error handling causes execution and freezing/cancelling of Deposits/Withdrawals/Orders to fail.

medium

Keeper can make deposits/orders/withdrawals fail and receive fee+rewards

medium

Deposits/Withdrawals/Orders will be canceled if created before feature is disabled and attempted to be executed after

medium

No check if Arbitrum L2 sequencer is down when receiving prices from price feeds

OpenQ

OpenQ

943.54 USDC • 4 total findings • Sherlock • 0xdeadbeef

#18

high

Malicious ERC20 tokens can prevent closing and claiming bounties

high

Overflow in getLockedFunds prevents refunds.

high

Large amount of deposits will cause an out of gas exception that will prevent refunds

medium

Attacker can prevent funders from funding none-whitelisted ERC20 tokens

Jan '23

Popcorn contest

Popcorn contest

1,523.66 USDC • 3 total findings • Code4rena • 0xdeadbeef0x

#13

high

Staking rewards can be drained

medium

Fee on transfer token not supported

medium

Vault creator can prevent users from claiming staking rewards

Optimism

Optimism

11,009.11 USDC • 2 total findings • Sherlock • 0xdeadbeef

#11

medium

Migration will not succeed because of a mismatch between witness data and expected data

medium

ETH/tokens are permanently frozen if they are sent from L1->L2 using the L1StandardBridge while the L2CrossDomainMessenger is "paused"

Sentiment Update #3

Sentiment Update #3

1,428.57 USDC • 1 total finding • Sherlock • 0xdeadbeef

bronze

medium

No check if Arbitrum L2 sequencer is down in Chainlink feeds

Reserve contest

Reserve contest

1,192.91 USDC • 1 total finding • Code4rena • 0xdeadbeef0x

#17

medium

RToken permanently insolvent/unusable if a single collateral in the basket behaves unexpectedly

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

1,811.55 USDC • 5 total findings • Code4rena • 0xdeadbeef0x

#4

high

Arbitrary transactions possible due to insufficient signature validation

high

Replay attack (EIP712 signed transaction)

high

Attacker can gain control of counterfactual wallet

high

Destruction of the `SmartAccount` implementation

medium

Transaction can fail due to batchId collision

Dec '22

GoGoPool contest

GoGoPool contest

1,830.96 USDC • 8 total findings • Code4rena • 0xdeadbeef0x

#15

high

MinipoolManager: node operator can avoid being slashed

high

Inflation of ggAVAX share price by first depositor

high

Hijacking of node operators minipool causes loss of staked funds

high

node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle

medium

Users may not be able to redeem their shares due to underflow

medium

any duration can be passed by node operator

medium

Cancellation of minipool may skip MinipoolCancelMoratoriumSeconds checking if it was cancelled before

medium

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

Forgeries contest

Forgeries contest

365.84 USDC • 1 total finding • Code4rena • 0xdeadbeef0x

#12

medium

VRFNFTRandomDraw admin can prevent created or started raffle from taking place

Tigris Trade contest

Tigris Trade contest

2,086.69 USDC • 6 total findings • Code4rena • 0xdeadbeef0x

#9

medium

BondNFTs can revert when transferred

medium

Trading will not work on ethereum if USDT is used

medium

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

medium

`_handleDeposit` and `_handleWithdraw` do not account for tokens with decimals higher than 18

medium

Chainlink price feed is not sufficiently validated and can return stale price

medium

Lock.sol: claimGovFees function can cause assets to be stuck in the Lock contract

prePO contest

prePO contest

3,783.72 USDC • 1 total finding • Code4rena • 0xdeadbeef0x

silver

medium

PrePO NFT holders will not be able to redeem collateral

Escher contest

Escher contest

1.95 USDC • 2 total findings • Code4rena • 0xdeadbeef0x

#66

medium

ETH will get stuck if all NFTs do not get sold.

medium

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

Nov '22

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

1,550.97 USDC • 5 total findings • Code4rena • 0xdeadbeef0x

#14

high

Protocol insolvent - Permanent freeze of funds

high

Giant pools can be drained due to weak vault authenticity check

medium

Incorrect implementation of the ETHPoolLPFactory.sol#rotateLPTokens let user stakes ETH more than maxStakingAmountPerValidator in StakingFundsVault, and DOS the stake function in LiquidStakingManager

medium

Freezing of funds - Hacker can prevent users withdraws in giant pools

medium

Giant pools cannot receive ETH from vaults

Blur Exchange contest

Blur Exchange contest

796.16 USDC • 1 total finding • Code4rena • 0xdeadbeef0x

#7

high

Direct theft of buyers ETH funds.

SIZE contest

SIZE contest

21.13 USDC • Code4rena • 0xdeadbeef

#39

Debt DAO contest

Debt DAO contest

2,648.01 USDC • 5 total findings • Code4rena • 0xdeadbeef0x

#10

high

Repaying a line of credit with a higher than necessary claimed revenue amount will force the borrower into liquidation

medium

Reentrancy bug allows lender to steal other lenders funds

medium

address.call{value:x}() should be used instead of payable.transfer()

medium

Borrower/Lender excessive ETH not refunded and permanently locked in protocol

medium

Lender can reject closing a position

Oct '22

The Graph L2 bridge contest

The Graph L2 bridge contest

20.79 USDC • Code4rena • 0xdeadbeef

#16

Sep '22

Art Gobblers contest

Art Gobblers contest

55.2 USDC • Code4rena • 0xdeadbeef

#21