Security Researcher
Smart Contract Security Researcher | +8 years in malware reverse engineering | Conducting audits at @code4rena & @sherlockdefi
High
Total
Medium
Total
Total Earnings
#292 All Time
Payouts
1st Places
3rd Places
Top 10
All
Sherlock
Code4rena
Oct '24
Oct '23
Sep '23
Aug '23
high
The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP
medium
No mechanism to settle out-of-money put options even after Bond receipt token is redeemed.
medium
Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`
Jul '23
May '23
high
`BaseV2Minter` DAO reward shares are calculated wrong
high
Removing a BribeFlywheel from a Gauge does not remove the reward asset from the rewards depo, making it impossible to add a new Flywheel with the same reward token
medium
Removing a `UniswapV3Gauge` via `UniswapV3GaugeFactory` does not actually remove it from the `UniswapV3Staker`; Gauge still gains rewards, can be staked to (even though deprecated) plus old stakers game the rewards of new stakers
medium
`BribesFactory::createBribeFlywheel` can be completely blocked from creating any Flywheel by a malicious actor
medium
If `HERMES` gauge rewards are not queued for distribution every week, they are slashed
medium
Unstaking `vMAIA` tokens on the first Tuesday of the month can be offset
Apr '23
Mar '23
Feb '23
high
`_claimExternalRewards` does not update contract state after claiming, allowing for extra external reward token claims via `claimRewards`
high
`userRewardDebts` is not correctly deducted from `cachedUserRewards` in `_withdrawUpdateRewardState` leading to extra internal rewards by withdrawing
high
claiming internal rewards via `internalRewardsForToken` fails in some cases even when users are entitled to internal rewards
medium
claiming external rewards via `externalRewardsForToken` fails in some cases even when users are entitled to external rewards
Jan '23