Security Researcher
Finding a vocation in fixing things that don't seem broken! / Web3 security researcher @OpenZeppelin / Smart contract auditor / Ideas are my own.
High
Total
Medium
Solo
Total
Total Earnings
#224 All Time
Payouts
2nd Places
3rd Places
Top 10
All
Sherlock
Code4rena
Oct '24
Feb '23
high
[High][Flow] `reconcileSignerCount` is not updating the safe threshold correctly
medium
[High][Flow]`createHat` allows creation of hats without intermediary, which can lead to hats getting completely overwritten in the future
medium
[Medium][Gas/Stack Management] Recursive functions are used regularly and can increase gas usage quadratically or might face stack too deep
medium
[Medium][Outdated State] `setThreshold` functions are not using an updated `SignerCount` and might set the threshold on safe incorrectly
medium
[Medium][Outdated State] `_removeSigner` incorrectly updates `signerCount` and safe `threshold`
high
Protection buyers can buy/renew many protections for a single underlying position
high
There is a profitable Arbitrage path for users that incentivizes a secondary market on top of the protection pool to bypass the 2 cycle withdrawal delay
medium
If a `lendingPool` is added to the network while in `late` state, can be defaulted instantly
medium
When purchasing a protection, `_verifyLendingPoolIsActive` processes data based on an outdated version of `defaultStateManager`
Jan '23
Dec '22
high
Hijacking of node operators minipool causes loss of staked funds
high
node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle
high
AVAX Assigned High Water is updated incorrectly
medium
MinipoolManager: recordStakingError function does not decrease minipoolCount leading to too high GGP rewards for staker
medium
Cancellation of minipool may skip MinipoolCancelMoratoriumSeconds checking if it was cancelled before
medium
State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool
medium
Coding logic of the contract upgrading renders upgrading contracts impractical