https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_1.png

0xmystery

Security Researcher

Contact Me

High

14

Total

Medium

22

Total

$13.15K

Total Earnings

#456 All Time

37x

Payouts

gold

1x

1st Places

bronze

1x

3rd Places

regular

9x

Top 10

All

Sherlock

Code4rena

Mar '25

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

3.86 USDC • Sherlock • 0xmystery

#66

Feb '25

Usual Labs

Usual Labs

47.66 USDC • Sherlock • 0xmystery

#39

Yieldoor

Yieldoor

13.80 USDC • 1 total finding • Sherlock • 0xmystery

#26

high

Flawed Leverage Calculation Allows Extreme Overleveraging and Lending Pool Draining Leading to Rapid Liquidation

Jan '25

Plaza Finance

Plaza Finance

69.98 USDC • 5 total findings • Sherlock • 0xmystery

#40

high

Dynamic fee calculation based on poolReserves and lastFeeClaimTime results in unfair fee entitlement due to sudden reserve changes

medium

Reduced pool reserves due to frequent redeem() during auctions can lead to excessive reserve depletion or repeated auction failures, impacting bond token holders.

medium

Discrepancy in sharesPerToken assignment between Pool.startAuction() and BondToken.increaseIndexedAssetPeriod() leads to inconsistent account tallying across periods

medium

Unsuccessful auction states allow early claimers to drain coupon tokens at the expense of late claimers due to unallocated distributions.

medium

Blacklisted lowest bidder in Auction.bid() prevents proper bid removal, leading to potential auction failure or suboptimal revenue

Nov '24

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

459.06 USDC • Sherlock • 0xmystery

#11

Telcoin Update #2

Telcoin Update #2

26.46 USDC • Sherlock • 0xmystery

#30

Oct '24

Usual V1

Usual V1

4,367.29 USDC • 2 total findings • Sherlock • 0xmystery

gold

high

A missing reward update in UsualSP::removeOriginalAllocation will cause reduced reward accumulation for users

high

The use of exact assets for fee calculation in UsualX::withdraw inflates totalAssets(), enabling users to extract excess assets (or have less shares burnt) and possibly leading to under-collected fees for the protocol

Covalent - EWM Light Client

Covalent - EWM Light Client

453.76 USDC • Sherlock • 0xmystery

bronze

Findings not publicly available for private contests.

Jul '24

Union Finance Update #2

Union Finance Update #2

42.73 USDC • 1 total finding • Sherlock • 0xmystery

#11

medium

Missing Validity Check in ERC1155Voucher::onERC1155BatchReceived

May '24

Munchables

Munchables

0.01 USDC • 1 total finding • Code4rena • 0xmystery

#16

high

Invalid validation allows users to unlock early

Apr '24

Renzo

Renzo

0 USDC • Code4rena • 0xmystery

#58

NOYA

NOYA

48.73 USDC + NOYA stars • 1 total finding • Code4rena • 0xmystery

#60

medium

`performanceFeeReceiver` cannot mint any performance fee shares even if TVL is dropped by only a very tiny amount

Mar '24

Ondo Finance

Ondo Finance

498.91 USDC • 1 total finding • Code4rena • 0xmystery

#11

medium

Users can lose access to funds due to minimum withdrawal limits.

Smart Wallet

Smart Wallet

47.24 USDC • Code4rena • 0xmystery

#13

PoolTogether

PoolTogether

820.39 USDC • 3 total findings • Code4rena • 0xmystery

#6

high

Any fee claim lesser than the total `yieldFeeBalance` as unit of shares is lost and locked in the `PrizeVault` contract

medium

Funds locked due to missing transfer check

medium

Lack of Slippage Protection in `withdraw`/`redeem` Functions of the Vault

Feb '24

AI Arena

AI Arena

11.2 USDC • 2 total findings • Code4rena • 0xmystery

#121

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

Jan '24

Decent

Decent

12.28 USDC • Code4rena • 0xmystery

#54

Telcoin Platform Audit

Telcoin Platform Audit

2.64 USDC • 1 total finding • Sherlock • 0xmystery

#9

high

Balance array misalignment and DoS on the next mint after calling CouncilMember.burn()

Curves

Curves

155.41 USDC • 5 total findings • Code4rena • 0xmystery

#30

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

medium

Selling will be bricked if all other tokens are withdrawn to ERC20 token

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

reNFT

reNFT

12.58 USDC • Code4rena • 0xmystery

#59

Truflation

Truflation

67.11 USDC • 1 total finding • Sherlock • 0xmystery

#10

medium

Rewards remain unclaimable in vesting migration due to private key loss

SYMM IO

SYMM IO

4.89 USDC • Sherlock • 0xmystery

#31

Dec '23

Footium Update

Footium Update

8.23 USDC • Sherlock • 0xmystery

#29

Revolution Protocol

Revolution Protocol

158.12 USDC • 2 total findings • Code4rena • 0xmystery

#37

medium

Since buyToken function has no slippage checking, users can get less tokens than expected when they buy tokens directly

medium

Bidder can use donations to get VerbsToken from auction that already ended.

Ethereum Credit Guild

Ethereum Credit Guild

85.84 USDC • 1 total finding • Code4rena • 0xmystery

#67

medium

Re-triggering the `canOffboard[term]` flag to bypass the DAO vote of the lending term offboarding mechanism

Nov '23

Shell Protocol

Shell Protocol

814.56 USDC • Code4rena • 0xmystery

#5

Nouns Builder

Nouns Builder

21.94 USDC • 1 total finding • Sherlock • 0xmystery

#9

high

Potential Vesting Allocation Issue for First Founder in Token.sol

Kelp DAO | rsETH

Kelp DAO | rsETH

179.04 USDC • 2 total findings • Code4rena • 0xmystery

#22

high

Protocol mints less rsETH on deposit than intended

medium

Lack of slippage control on LRTDepositPool.depositAsset

Oct '23

Party Protocol

Party Protocol

15.78 USDC • Code4rena • 0xmystery

#32

Ethena Labs

Ethena Labs

297.65 USDC • 1 total finding • Code4rena • 0xmystery

#13

medium

``FULL_RESTRICTED`` Stakers can bypass restriction through approvals

Open Dollar

Open Dollar

33.9 USDC • 1 total finding • Code4rena • 0xmystery

#48

medium

Decimal Limitation in CamelotRelayer and UniV3Relayer Contract Deployment

Brahma

Brahma

1,163.48 USDC • 1 total finding • Code4rena • 0xmystery

#5

medium

Protocol is not `EIP712` compliant: incorrect typehash for `Validation` and `Transaction` structures

Sep '23

Centrifuge

Centrifuge

197.84 USDC • Code4rena • 0xmystery

#25

Ondo Finance

Ondo Finance

106.43 USDC • 1 total finding • Code4rena • 0xmystery

#26

medium

Users can lose access to funds due to minimum withdrawal limits.

Aug '23

Dopex

Dopex

96.33 USDC • 1 total finding • Code4rena • 0xmystery

#81

high

Improper precision of strike price calculation can result in broken protocol

Shell Protocol

Shell Protocol

40.53 USDC • Code4rena • 0xmystery

#15

PoolTogether V5: Part Deux

PoolTogether V5: Part Deux

2,760.39 USDC • 1 total finding • Code4rena • 0xmystery

#4

medium

Potential Near-Zero Scenarios for purchasePrice in the Continuous Gradual Dutch Auction