https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/d2b2f916-350f-4d6c-8f17-556da4f98c0e.jpg

Bahurum

Security Researcher

Independent security researcher | JSR @SpearbitDAO | Watson @SherlockDefi | SC & ZK alumni @yAcademyDAO

Contact Me

High

3

Solo

33

Total

Medium

5

Solo

22

Total

$74.42K

Total Earnings

#112 All Time

32x

Payouts

gold

4x

1st Places

silver

6x

2nd Places

bronze

1x

3rd Places

All

Sherlock

Code4rena

Hats Finance

Feb '24

Wise Lending

Wise Lending

1,800 USDC • 2 total findings • Hats • Bahurum

#4

high

Curve reentrancy check for tokens being borrowed is missing

medium

Check on `MAX_TOTAL_TOKEN_NUMBER` off by one

Blast Futures Exchange

Blast Futures Exchange

999.6 USDC • Hats • Bahurum

silver

Oct '23

HATs Arbitration Contracts

HATs Arbitration Contracts

14,200 USDC • 2 total findings • Hats • Bahurum

gold

high

Disputers can recover bonds lost in dispute by stealing bonds of future claims

medium

After a `TokenLock` is revoked tokens can be lost permanently

Idle Finance

Idle Finance

1,500 USDC • Hats • Bahurum

gold

Sep '23

Convergence Finance

Convergence Finance

4,700 DAI • Hats • Bahurum

gold

Jul '23

VMEX #2

VMEX #2

899.8 USDC • Hats • Bahurum

silver

Jun '23

VMEX

VMEX

13,500 USDC • Hats • Bahurum

silver

May '23

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

343.67 USDC • 9 total findings • Sherlock • Bahurum

#4

high

Incorrect `DAIEthOracle` in `StableOracleDAI` and `StableOracleWBGL`

high

Incorrect check on collateral being `DAI` in `USSDRebalancer.SellUSSDBuyCollateral()`

high

Incorrect rebalancing due to unrelated Uni V3 pool reserves

high

`price` is DAI/ETH instead of ETH/DAI in `StableOracleDAI.getPriceUSD()`

high

Incorrect decimals for `price` in `StableOracleDAI.getPriceUSD()`

high

Incorrect `amountToSellUnits` decimals in `USSDRebalance.BuyUSSDSellCollateral()`

high

Unprotected `mintRebalancer` and `burnRebalancer` functions

high

Incorrect `ExactInputParams` struct in `USSD`

medium

Funds can be stolen if WBTC depegs

Mar '23

Asymmetry contest

Asymmetry contest

141.98 USDC • 4 total findings • Code4rena • Bahurum

#43

high

An attacker can manipulate the preDepositvePrice to steal from other users.

high

Staking, unstaking and rebalanceToWeight can be sandwiched (Mainly rETH deposit )

high

`WstEth` derivative assumes a ~1=1 peg of stETH to ETH

medium

In de-peg scenario, forcing full exit from every derivative & immediately re-entering can cause big losses for depositors

Olympus Update

Olympus Update

310.09 USDC • 1 total finding • Sherlock • Bahurum

#4

high

Users deposit could get stuck due to check in `decreaseTotalLp` function

Taurus

Taurus

183.09 USDC • 1 total finding • Sherlock • Bahurum

#10

high

Collateral ratio calculation is incorrect if `collateralToken` isn't in 18 decimals

Feb '23

Syndr

Syndr

1,731.25 USDC • Sherlock • Bahurum

#4

Findings not publicly available for private contests.

OlympusDAO

OlympusDAO

3,172.17 USDC • 5 total findings • Sherlock • Bahurum

silver

high

Liquidity Vault can be drained

high

`userRewardDebts` incorrectly updated in `_claimInternalRewards()`

high

`cachedUserRewards` incorrectly updated in `_withdrawUpdateRewardState()`

medium

Vault can experience long downtime periods

medium

Rewards can get stuck and can be unavailable for some time

Jan '23

Optimism

Optimism

3,926.11 USDC • Sherlock • Bahurum

#15

Cooler

Cooler

274.09 USDC • 2 total findings • Sherlock • Bahurum

#12

high

`debt` tokens are sent to `address(0)` instead of lender in `repay()`

high

Unchecked return values of `transfer` and `transferFrom`

Sentiment Update #3

Sentiment Update #3

1,428.57 USDC • 1 total finding • Sherlock • Bahurum

bronze

medium

Tokens not owned by an account can be added as an asset to the account

UXD Protocol

UXD Protocol

379.67 USDC • 4 total findings • Sherlock • Bahurum

#16

high

Missing check on `account` in `PerpDepository.rebalance()`

medium

`PerpDepository` not compatible with `assetToken` with decimals different from 18

medium

Missing approval of `assetToken` to `spotSwapper` in `PerpDepository._rebalanceNegativePnlWithSwap()`

medium

Missing approval of `quoteToken` to `vault` in `PerpDepository._rebalanceNegativePnlWithSwap()`

Dec '22

Lyra

Lyra

3,088.59 USDC • Sherlock • Bahurum

#5

Findings not publicly available for private contests.

Nov '22

Sentiment Update #2

Sentiment Update #2

4,090.90 USDC • 1 total finding • Sherlock • Bahurum

gold

high

Curve LP oracle manipulation with read only reentrancy in pool's `get_virtual_price`

Bull v Bear

Bull v Bear

598.26 USDC • 2 total findings • Sherlock • Bahurum

#5

high

`transferPosition()` to `address(0)` allows matching the same order multiple times

high

`settleContract` gas usage can be increased by bull making settling unprofitable for bear

Sentiment Update

Sentiment Update

2,678.57 USDC • 1 total finding • Sherlock • Bahurum

silver

high

Unexpected liquidations after batchSwap with intermediate amounts

Oct '22

Union Finance

Union Finance

6,944.64 USDC • 2 total findings • Sherlock • Bahurum

silver

high

Loan can be written off by anybody before overdue delay expires

medium

A stake that has just been locked gets full reward multiplier

Sep '22

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

196.12 USDC • 2 total findings • Code4rena • Bahurum

#16

medium

Rewards delay release could cause yields steal and loss

medium

frxETHMinter.depositEther may run out of gas, leading to lost ETH

VTVL contest

VTVL contest

23.67 USDC • 1 total finding • Code4rena • Bahurum

#72

medium

Supply cap of VariableSupplyERC20Token is not properly enforced

Y2k Finance contest

Y2k Finance contest

995.77 USDC • 2 total findings • Code4rena • Bahurum

#12

high

Incorrect handling of pricefeed.decimals()

high

Vault.sol is not EIP-4626 compliant

Aug '22

Sentiment

Sentiment

2,073.73 USDC • 5 total findings • Sherlock • Bahurum

#10

high

ERC4626 underlying decimals could be different

high

Missing check on decimals of Chainlink price feed

medium

ERC777 reentrancy in self-liquidation

medium

Can register a non-allowed collateral as collateral

medium

Missing validation of `latestRoundData` return data

Olympus DAO contest

Olympus DAO contest

2,048.36 USDC • 2 total findings • Code4rena • Bahurum

#13

high

Anyone can pass any proposal alone before first `VOTES` are minted

medium

After endorsing a proposal, user can transfer votes to another user for endorsing the same proposal again

FIAT DAO veFDT contest

FIAT DAO veFDT contest

30.34 USDC • Code4rena • Bahurum

#64

Rigor Protocol contest

Rigor Protocol contest

301.19 USDC • 2 total findings • Code4rena • Bahurum

#27

high

Builder can call `Community.escrow` again to reduce debt further using same signatures

high

Project funds can be drained by reusing signatures, in some cases

Jul '22

Golom contest

Golom contest

1,041.15 USDC • Code4rena • Bahurum

#15

Swivel v3 contest

Swivel v3 contest

308.45 USDC • 1 total finding • Code4rena • Bahurum

#14

medium

Error in allowance logic

May '22

Rubicon contest

Rubicon contest

507.23 USDC • 3 total findings • Code4rena • Bahurum

#23

medium

RubiconRouter: Excess ether did not return to the user

medium

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

medium

Malicious pools can be deployed through `BathHouse`