https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/84ac9164-c38a-4673-ab9d-f556145b9c95.jpg

Allarious

Security Researcher

Finding a vocation in fixing things that don't seem broken! / Web3 security researcher @OpenZeppelin / Smart contract auditor / Ideas are my own.

Contact Me

High

Total

Medium

Solo

Total

$35.97K

Total Earnings

#232 All Time

7x

Payouts

1x

2nd Places

1x

3rd Places

5x

Top 10

All

Sherlock

Code4rena

Oct '24

Kleidi

1,141.87 USDC • 2 total findings • Code4rena • Allarious

medium

Wrong handling of call data check indices, forcing it sometimes to revert

medium

Gas griefing/attack via creating the proposals

Feb '23

Hats

573.67 USDC • 5 total findings • Sherlock • Allarious

high

[High][Flow] `reconcileSignerCount` is not updating the safe threshold correctly

medium

[High][Flow]`createHat` allows creation of hats without intermediary, which can lead to hats getting completely overwritten in the future

medium

[Medium][Gas/Stack Management] Recursive functions are used regularly and can increase gas usage quadratically or might face stack too deep

medium

[Medium][Outdated State] `setThreshold` functions are not using an updated `SignerCount` and might set the threshold on safe incorrectly

medium

[Medium][Outdated State] `_removeSigner` incorrectly updates `signerCount` and safe `threshold`

Carapace

1,248.42 USDC • 4 total findings • Sherlock • Allarious

#13

high

Protection buyers can buy/renew many protections for a single underlying position

high

There is a profitable Arbitrage path for users that incentivizes a secondary market on top of the protection pool to bypass the 2 cycle withdrawal delay

medium

If a `lendingPool` is added to the network while in `late` state, can be defaulted instantly

medium

When purchasing a protection, `_verifyLendingPoolIsActive` processes data based on an outdated version of `defaultStateManager`

Jan '23

Numoen contest

5,284.65 USDC • 1 total finding • Code4rena • Allarious

medium

Economical games that can be played to gain MEV

Optimism

25,701.94 USDC • 2 total findings • Sherlock • Allarious

high

`relayMessage` may call the target functions with less gas than was anticipated by its sender

medium

Proposer can submit a faulty proof on L1 and avoid transactions from getting finalized on-chain

Cooler

348.68 USDC • 3 total findings • Sherlock • Allarious

high

It is possible to inject `roll` transactions between `clear` and `toggleRoll`

medium

`collateralFor` does not calculate the collateral correctly.

medium

Payment function can cause desync between `collateral` and the `amount`

Dec '22

GoGoPool contest

1,673.79 USDC • 7 total findings • Code4rena • Allarious

#19

high

Hijacking of node operators minipool causes loss of staked funds

high

node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle

high

AVAX Assigned High Water is updated incorrectly

medium

MinipoolManager: recordStakingError function does not decrease minipoolCount leading to too high GGP rewards for staker

medium

Cancellation of minipool may skip MinipoolCancelMoratoriumSeconds checking if it was cancelled before

medium

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

medium

Coding logic of the contract upgrading renders upgrading contracts impractical