https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/16d7d1ee-efe6-4fde-87d8-314f1ff5a847.jpeg

BengalCatBalu

Security Researcher

Contact Me

High

22

Total

Medium

20

Total

$19.47K

Total Earnings

#366 All Time

14x

Payouts

gold

2x

1st Places

silver

1x

2nd Places

regular

6x

Top 10

All

Sherlock

Cantina

Feb '25

defi-app-contracts

defi-app-contracts

96.91 USDC • 2 total findings • Cantina • BengalCatBalu

#23

high

Finding not yet public.

medium

Finding not yet public.

TermMax

TermMax

9,873.32 USDC • 5 total findings • Cantina • BengalCatBalu

gold

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

Jan '25

daao-contracts

daao-contracts

345.4 USDC • 7 total findings • Cantina • BengalCatBalu

#4

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

hmx-orderbook

hmx-orderbook

5,941.03 USDC • 3 total findings • Cantina • BengalCatBalu

silver

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Dec '24

juicebox-monorepo

juicebox-monorepo

2,162.18 OP • 2 total findings • Cantina • BengalCatBalu

#5

medium

Finding not yet public.

medium

Finding not yet public.

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

511.74 USDC • 5 total findings • Sherlock • BengalCatBalu

#10

high

Incorrect calculation of funds on `buyVotes` could DoS `withdrawGraduatedMarketFunds`

high

Users pay less than the vouchersPoolFee due when the `increaseVouch` function is called

high

user may be grossly overpaying fees in `buyVotes` due to incorrect calculation

medium

No lock funds after unvouch will allow the author to withdraw his funds before slash

medium

No slippage protection for `sellVotes` function

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • BengalCatBalu

gold

high

Anyone can claim kycAddress tokens in `VVVVCTokenDistributor`

Debita Finance V3

Debita Finance V3

349.20 USDC • 8 total findings • Sherlock • BengalCatBalu

#16

high

`BuyOrder::sellNFT` does not send NFT to buyer

medium

Malicious user can Reset activeOrdersCount for `DLOFactory` and DoS deleteOrder functionality

medium

Valid principle may not be counted at `DebitaIncentives::updateFunds`

medium

`DebitaV3Loan::extendLoan` will revert due to underlow in most cases

medium

Flash Loan Borrows can take most of the incentive.

medium

PercentageLent for small loans will be rounded to zero

medium

Accumulated rounding down in weighted apr calculation may force borrower accept offers that he not accept in other cases

medium

If no one will lend a principle in epoch, then incentivise for it will be stuck on the contract

Telcoin Update #2

Telcoin Update #2

6.69 USDC • Sherlock • BengalCatBalu

#46

Jul '24

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

32.89 USDC • 4 total findings • Sherlock • BengalCatBalu

#45

high

Broken access control in BribeRewarder::_modify leads to dos of Voter::_vote

high

Incorrect implementation of control when user can vote in `Voter.sol`

medium

position.lockDuration in `MLUMStaking.sol` and user vote ability can be manipulated due to incorrect access control realization

medium

Not only the owner of the position can get the award in `MLUMStaking`, approved addresses can take the award for themselves

Apr '24

Teller Finance

Teller Finance

14.66 USDC • 2 total findings • Sherlock • BengalCatBalu

#33

high

Using transferFrom insted safeTransferFrom can lead to incorrect logic with non revert on failure

medium

Fee-on-transfer Token & Non revert on failure token could broke logic and result in a DoS of `FlashRolloverLoan_G5::rolloverWithFlashLoan`

TITLES Publishing Protocol

TITLES Publishing Protocol

30.41 USDC • 2 total findings • Sherlock • BengalCatBalu

#33

high

In the `FeeManager.sol::_splitProtocolFee` function, the collectionReffererShare recipient is misspelled.

medium

Broken TitlesGraph behavior when changing work.creator

Mar '24

vVv Vesting & Staking

vVv Vesting & Staking

1.87 USDC • Sherlock • BengalCatBalu

#41

Zap Protocol

Zap Protocol

9.97 USDC • 1 total finding • Sherlock • BengalCatBalu

#12

high

Potential Reentrancy attack on Vesting.sol