https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_3.png

AlexCzm

Security Researcher

Contact Me

High

29

Total

Medium

26

Total

$6.92K

Total Earnings

#662 All Time

23x

Payouts

regular

3x

Top 10

regular

7x

Top 25

regular

15x

Top 50

All

Sherlock

Code4rena

Feb '25

Yieldoor

Yieldoor

59.59 USDC • 3 total findings • Sherlock • AlexCzm

#13

high

Wrong `tickUpper` argument used in `collectFees()` may lead to lock funds permanently

high

Due to an incorrect leverage calculation, users are able to open positions with a leverage bigger than the max leverage allowed

medium

Failure to update `path` in multi-pool swaps results in an out-of-gas (OOG) error during leveraged position openings

Aug '24

Sentiment V2

Sentiment V2

1,362.18 USDC • 3 total findings • Sherlock • AlexCzm

#6

high

An attacker can pick up a new price that is older than the current stored one

medium

Attacker can open many small positions, disincentivizing liquidations

medium

Hardcoded redstone oracle deviation threshold

Jun '24

Size

Size

0.05 USDC • 1 total finding • Code4rena • AlexCzm

#62

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

Apr '24

NOYA

NOYA

666.86 USDC + NOYA stars • 6 total findings • Code4rena • AlexCzm

#22

high

`SNXConnector.sol` TVL calculation is incorrect.

high

Numerous errors when calculating the TVL for the MorphoBlue connector

high

It is possible to open insolvent position is Silo connector, due to missing check in borrow function

high

SiloConnector `_getPositionTVL` miscalculate the TVL position

medium

Some connectors prevents repayment of a borrow position if it doesn't leave the connector solvent or above minimumHealthFactor

medium

Dust donation might DOS all connectors to create new holding positions, by preventing removing existing holding positions

TITLES Publishing Protocol

TITLES Publishing Protocol

30.26 USDC • 4 total findings • Sherlock • AlexCzm

#34

high

CollectionReferrerShare is wrongly sent to mint referrer

high

Users can `mintBatch` to mint out but pay for one token only

medium

Edition._refundExcess() doesn't refund the excess ether

medium

The edges will never be acknowledged because only memory copy is modified

DYAD

DYAD

247.59 USDC • 7 total findings • Code4rena • AlexCzm

#47

high

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

high

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

high

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

medium

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

medium

Value of kerosene can be manipulated to force liquidate users

medium

Liquidation bonus logic is wrong

Feb '24

UniStaker Infrastructure

UniStaker Infrastructure

694.3 USDC • Code4rena • AlexCzm

#5

AI Arena

AI Arena

13.09 USDC • 5 total findings • Code4rena • AlexCzm

#120

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

medium

Can mint NFT with the desired attributes by reverting transaction

medium

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

medium

Fighter created by mintFromMergingPool can have arbitrary weight and element

Jan '24

Curves

Curves

136.88 USDC • 6 total findings • Code4rena • AlexCzm

#37

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

medium

Selling will be bricked if all other tokens are withdrawn to ERC20 token

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

medium

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

SYMM IO

SYMM IO

31.07 USDC • Sherlock • AlexCzm

#20

Dec '23

Ethereum Credit Guild

Ethereum Credit Guild

336.05 USDC • 3 total findings • Code4rena • AlexCzm

#38

high

The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting

high

Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss

high

The creation of bad debt (`mark-down` of Credit) can force other loans in auction to also create bad debt

Nov '23

Kelp DAO | rsETH

Kelp DAO | rsETH

40.69 USDC • 2 total findings • Code4rena • AlexCzm

#44

high

The price of rsEHT could be manipulated by the first staker

high

Protocol mints less rsETH on deposit than intended

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

3.86 USDC • Code4rena • AlexCzm

#58

veRWA

veRWA

9.82 USDC • Code4rena • AlexCzm

#52

Jul '23

Lens Protocol V2

Lens Protocol V2

31.38 USDC • Code4rena • AlexCzm

#9

Beam

Beam

31.11 USDC • Sherlock • AlexCzm

#26

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

2,992.34 USDC • 3 total findings • Code4rena • AlexCzm

#21

high

TalosBaseStrategy#init() lacks slippage protection

medium

Removing more gauge weight than it should be while transfering ````ERC20Gauges```` token

medium

`ERC20Boost.sol` An user can be `attach`ed to a gauge and have no boost balance.

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

57.67 USDC • 2 total findings • Sherlock • AlexCzm

#36

high

Anyone can trigger USSD depeg.

high

Wrong price calculation

Footium

Footium

0.01 USDC • 1 total finding • Sherlock • AlexCzm

#32

medium

ERC20 return values not checked

Apr '23

Rubicon v2

Rubicon v2

16.48 USDC • 5 total findings • Code4rena • AlexCzm

#96

high

Reward accounting is incorrect in BathBuddy contract

medium

BathBuddy contract should implement methods to pause and unpause contract

medium

Zero reward rate calculation impedes low-decimals token distributions

medium

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

medium

Calling `ExpiringMarket.stop` and `ExpiringMarket.isClosed` functions cannot pause any functionlities of the market

Mar '23

Gitcoin

Gitcoin

49.51 USDC • Sherlock • AlexCzm

#53

Y2K

Y2K

100.04 USDC • 2 total findings • Sherlock • AlexCzm

#52

high

Users can avoid paying depositFee

high

A malicious user can deny user reward enlisted in rollover

Jan '23

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

9.64 USDC • 2 total findings • Code4rena • AlexCzm

#80

high

Bad implementation in minter access control for `RabbitHoleReceipt` and `RabbitHoleTickets` contracts

medium

Users may not claim Erc1155 rewards when the Quest has ended