https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/0b0cd008-f279-48fd-a216-d2672474c781.jpg

Arabadzhiev

Security Researcher

Web3 Security Researcher | Former Web2 Software Engineer

Contact Me

High

4

Total

Medium

1

Solo

10

Total

$14.92K

Total Earnings

#435 All Time

13x

Payouts

gold

1x

1st Places

bronze

2x

3rd Places

regular

6x

Top 10

All

Sherlock

Code4rena

CodeHawks

Mar '24

Copra Finance

Copra Finance

541.39 USDC • Sherlock • Arabadzhiev

#5

Findings not publicly available for private contests.

Revert Lend

Revert Lend

42.78 USDC • Code4rena • Arabadzhiev

#59

Feb '24

Jala Swap

Jala Swap

799.98 USDC • 1 total finding • Sherlock • Arabadzhiev

bronze

medium

In `JalaMasterRouter::swapExactTokensForETH` the `amountIn` value is not being scaled up when performing the wrapped token swap call to `JalaRouter02::swapExactTokensForETH`

Spectra

Spectra

8,807.03 USDC • 1 total finding • Code4rena • Arabadzhiev

gold

medium

All yield generated in the IBT vault can be drained by performing a vault deflation attack using the flash loan functionality of the Principal Token contract

Napier

Napier

1,148.01 USDC • 2 total findings • Sherlock • Arabadzhiev

#5

medium

The pool verification in `NapierRouter` is prone to collision attacks

medium

Malicious Rebalancer can prevent Principal Token and Yield Token holders from redeeming their underlying rewards

Dec '23

Olympus RBS 2.0

Olympus RBS 2.0

1,796.00 USDC • 3 total findings • Sherlock • Arabadzhiev

#9

high

`BunniPrice::getBunniTokenPrice` returns the TVL in the given Bunni token instead of the price per share of that token

medium

`AuraBalancerSupply` retrieves the total BPT supply of Balancer pools through the `totalSupply` function, which is not correct for some types of pools

medium

`BunniSupply::getProtocolOwnedLiquidityOhm` does not take uncollected fees into account, leading to OHM balance discrepancy

Oct '23

NextGen

NextGen

15.24 USDC • 3 total findings • Code4rena • Arabadzhiev

#83

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

high

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

medium

Auction winner can prevent payments via `safeTransferFrom` callback

Aug '23

Sparkn

Sparkn

1.00 USDC • 2 total findings • CodeHawks • Arabadzhiev

#85

low

If a winner is blacklisted on any of the tokens they can't receive their funds

low

Owner can incorrectly pull funds from contests not yet expired

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

18.72 USDC • 1 total finding • CodeHawks • Arabadzhiev

#128

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

Amphora Protocol

Amphora Protocol

9.43 USDC • Code4rena • Arabadzhiev

#23

Index Update

Index Update

1,721.15 USDC • 1 total finding • Sherlock • Arabadzhiev

bronze

medium

Malicious actors can DoS users, that want to buy all / most of the remaining quantity of a component, by frontrunning them with dust amount bids

May '23

Iron Bank

Iron Bank

1.97 USDC • 2 total findings • Sherlock • Arabadzhiev

#19

medium

Missing L2 sequencer outage checks

medium

Lack of stale data checks when retrieving price data from Chainlink

Juicebox Buyback Delegate

Juicebox Buyback Delegate

16.19 USDC • Code4rena • Arabadzhiev

#18