Banner
https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/92e9094b-0ac4-4bfd-aaea-f4fa208473f2.png

Bluedragon

Security Researcher

Hi I am Shibi Kishore✨ Lead Security Researcher @ Team FORTIS AUDITS

High

20

Total

Medium

21

Total

$2.76K

Total Earnings

#951 All Time

16x

Payouts

regular

4x

Top 10

regular

9x

Top 25

regular

13x

Top 50

All

Sherlock

Code4rena

Cantina

CodeHawks

Immunefi

Apr '25

mezo-monorepo

mezo-monorepo

42.39 USDC • 2 total findings • Cantina • FortisAudits-Thesis

#42

medium

Finding not yet public.

medium

Finding not yet public.

BitVault

BitVault

650.53 USDC • 1 total finding • Code4rena • Fortis_audits

#5

medium

The current implementation is incompatible with `WBTC` as collateral token

Mar '25

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

13.20 USDC • Sherlock • Fortis_Audits

#44

Audit Comp | Yeet

Audit Comp | Yeet

94 USDC • 2 total findings • Immunefi • Bluedragon

#22

high

Finding not yet public.

low

Finding not yet public.

Symmio, Staking and Vesting

Symmio, Staking and Vesting

68.35 USDC • 2 total findings • Sherlock • Fortis_Audits

#10

high

Frequent reward updates for tokens with less decimals will prevent stakers from receiving rewards

medium

`StakingRewards` reward rate can be dragged out and diluted

Feb '25

Core Contracts

Core Contracts

1,086.03 usdc • 37 total findings • CodeHawks • Fortis Audits

#18

high

`BaseGauge` users can claim rewards without staking

high

Users Can Overwrite Existing Locks in veRAACToken Resulting in Permanent Loss of Funds

high

Multiple issues from unnecessary balance increase calculation in DebtToken.mint

high

RToken's transfer function lead to loss of funds due to incorrect math

high

Users can borrow more assets than they have deposited as collateral

high

RToken is Not Interest Bearing Due to Broken Liquidity Index Calculation

high

Attackers can double voting power and veToken amount by locking and increasing

high

Incorrect Debt Token Accounting Due to Multiple Scaling Issues

high

Critical Economic Design Flaw in ZENO Zero-Coupon Bond Implementation Leads to Guaranteed User Losses

high

Future Stakers Gains More Rewards from Already Accumulated `rewardPerTokenStored` Causing Unfair Reward Distribution

medium

[H-2] Lack of Emergency Pause in `BaseGauge::stake` and `BaseGauge::withdraw

medium

Timelock Controller Retains Canceled Proposals, Enabling Unauthorized Execution and severe Governance Voting manipulation.

medium

Missing Vote Frequency Control in GaugeController

medium

Incorrect accounting in `veRAACToken::emergencyWithdraw` and `veRAACToken::withdraw` due to missing `totalLocked` update

medium

`MAX_TOTAL_SUPPLY` Bypass in `veRAACToken` via `increase()` Function

medium

Incorrect DebtToken totalSupply Scaling Breaks Interest Rate Calculations

medium

Incorrect Return Values and Double Scaling in `RToken.burn` Function Leads to Denial of Service

medium

RToken.transferFrom() Does Not Scale User Balances Due to Stale Liquidity Index

medium

LendingPool deposits do not work with CurveVault due to lack of funds

medium

Emergency Withdrawal Remains Active After Cancellation

medium

Incorrect Period Transition Logic in Reward Distribution

medium

Time-skew Attack in RWAGauge Weight Calculations Through Precision Gaming

medium

Failure to update `lastClaimTime` mapping when users claim rewards in FeeCollector Causes Time-Based Reward Calculation Issues

low

Canceled vote still get voted on and accumulate voting power in Goverance.sol

low

Emergency Timelock Bypass: No Enforced 1-Day Delay for Emergency Actions

low

Lack of enforcement of the `MAX_TOTAL_LOCKED_AMOUNT`

low

Improper Lock State Updates: Misreported Locked Token Data infects Governance Participation, rewards distribution and Harms Protocol Trust.

low

Incorrect Initialization of minBoost in BaseGauge Constructor Breaks Core Contract Functionality

low

Missing Checkpoint Reset in `veRAACToken::emergencyWithdraw` Function

low

Missing Pause Functionality in veRAACToken Contract Can Be Abused When Emergency Withdrawal Mechanism Is Activated

low

`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types

low

`DebtToken::burn`'s Return Values are wrong

low

Incorrect Values Returned in ReserveLibrary `withdraw` Function

low

Insufficient ETH Forwarding in Governance Execution Mechanism Causes Proposal Failures

low

Missing `BaseGauge::distributionCap` validation leads to over-emission of rewards

low

Missing Check for Gauge Activation Status in vote :: GaugeController.sol

low

Missing Validation for Minimum Vote Weight in `vote` Function

Jan '25

Liquid Ron

Liquid Ron

0 USDC • 1 total finding • Code4rena • Bluedragon101

#12

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

daao-contracts

daao-contracts

0.23 USDC • 1 total finding • Cantina • FortisAudits

#122

medium

Finding not yet public.

Aave DIVA Wrapper

Aave DIVA Wrapper

0.04 usdc • 1 total finding • CodeHawks • Fortis Audits

#9

low

Incorrect sequence of AaveDIVAWrapper constructor parameters

Dec '24

InterPol

InterPol

156.87 USDC • 1 total finding • Cantina • Fortis-Audits-6424

#10

high

Finding not yet public.

Nov '24

Project

Project

98.19 USDC • 1 total finding • CodeHawks • Fortis Audits

#12

medium

NativeMetaTransaction.sol :: executeMetaTransaction() failed txs are open to replay attacks.

Aug '24

Winnables Raffles

Winnables Raffles

3.36 USDC • 1 total finding • Sherlock • Bluedragon

#35

high

Lack of Access Control on Raffle Cancellation Allows Arbitrary Users to Disrupt Raffle Creation

Tadle

Tadle

4.17 USDC • 4 total findings • CodeHawks • Fortis Audits

#121

high

Incorrect set up and logic of `referralInfoMap` in `SystemConfig::updateReferrerInfo` function

high

TokenManager - Unlimited withdraw

high

Formulaic Error Rounds Down Causing Total Loss Of Funds For Bid Takers During Abort

high

Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode

Jul '24

Zaros Part 1

Zaros Part 1

32.97 USDC • 1 total finding • CodeHawks • Fortis Audits

#66

medium

An Uninitialized Variable In The `MarketConfiguration::update` Function Causes The `PrepMarket::getIndexPrice` Function To Revert

TempleGold

TempleGold

50.91 USDC • 2 total findings • CodeHawks • Fortis Audits

#31

high

Incompatibility with Multisig Wallets in `TempleGold::send` Function

low

Auction tokens cannot be recovered for the first ever spice auction

Jun '24

Thorchain

Thorchain

458.56 USDC • 1 total finding • Code4rena • Fortis_audits

#13

high

ThorChain will be informed wrongly about the unsuccessful ETH transfers due to the incorrect events emissions