https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/b4fe84b5-be35-4249-b6ca-d480983b3f8d.jpg

0xnirlin

Security Researcher

Security Researcher | 40+ vulnerabilities reported in public contests on code4rena and sherlock | Multiple top 5 and top 10 in public contests.

Contact Me

High

Total

Medium

Total

$10.38K

Total Earnings

#533 All Time

12x

Payouts

1x

2nd Places

5x

Top 10

7x

Top 25

All

Sherlock

Code4rena

Apr '25

ZKP2P V2

364.69 OP • Sherlock • 0xnirlin

Findings not publicly available for private contests.

Oct '23

The Wildcat Protocol

59.02 USDC • 2 total findings • Code4rena • nirlin

#49

high

Borrower has no way to update `maxTotalSupply` of `market` or close market.

high

Borrower can drain all funds of a sanctioned lender

ENS

1,774.19 USDC • 1 total finding • Code4rena • nirlin

medium

Some tokens enable the direct draining of all approved `ERC20Votes` tokens

Sep '23

Allo V2

1,891.76 USDC • 5 total findings • Sherlock • 0xnirlin

high

Registery address is set to proxy address of create3 instead of registery in the anchor.sol

high

In DonationVotingMerkleDistributionBaseStrategy `_registerRecipient` wrongly sets the recipient after the first one

medium

Anchor contract is unable to receive NFTs of any kind

medium

_registerRecipient will always revert in case useRegistryAnchor is set to false in rftCommitteeStrategy.sol

medium

Create3 library may not work as intended on the zksync

Ondo Finance

1,758.97 USDC • 1 total finding • Code4rena • nirlin

medium

All bridged funds will be lost for the users using the account abstraction wallet

Aug '23

Dopex

1,031.85 USDC • 4 total findings • Code4rena • nirlin

#18

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

medium

Inaccurate swap amount calculation in ReLP leads to stuck tokens and lost liquidity

medium

User can avoid paying high premium price by correctly timing his bond call

medium

Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`

Jul '23

Axelar Network

2,120.04 USDC • 1 total finding • Code4rena • nirlin

medium

Interchain token transfer can be Dossed Due To Flow Limit

May '23

Chainlink Cross-Chain Services: CCIP and ARM Network

201.79 USDC • Code4rena • nirlin

#40

Footium

0.00 USDC • 1 total finding • Sherlock • 0xnirlin

#35

medium

User may not be able to claim any rewards due to use of transfer in `claimErc20Prize`

Apr '23

Rubicon v2

826.54 USDC • 6 total findings • Code4rena • nirlin

#14

high

RubiconMarket batchOffer and batchRequote make offers as self; complete loss of funds for some types of tokens, for example WETH

high

Reward accounting is incorrect in BathBuddy contract

high

Placeholder

high

DOS of market operations with malicious offers

medium

Use of `block.number` leads to incorrect interest calculations

medium

No deadline parameter in `sellAllAmount()` and `buyAllAmount()` functions:

Mar '23

Gitcoin

118.85 USDC • Sherlock • 0xnirlin

#29

Y2K

230.11 USDC • 4 total findings • Sherlock • 0xnirlin

#46

high

Critical Indexing Flaw in Enlist Function that lead to user information collision in ownerToRollOverQueueIndex mapping and prevent user from calling withdraw and safeTransferFrom in Carousel.sol

medium

Lack of staleness check in the getLatestPrice(address _token) function can lead to triggering depeg even when there is no depeg.

medium

Loss of funds if triggerNullEpoch is called late.

medium

Treasury can never be changed on vaults even after calling changeTreasury()