https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/42d2e188-4d57-41ea-b596-30c8e98ba2f1.jpg

Brenzee

Web3 Developer & Security Researcher

🌐 Web3 Developer & Smart Contract Security Researcher

Contact Me

High

20

Total

Medium

19

Total

$8.30K

Total Earnings

#608 All Time

28x

Payouts

bronze

1x

3rd Places

regular

4x

Top 10

regular

15x

Top 25

All

Sherlock

Code4rena

Aug '24

Sentiment V2

Sentiment V2

562.37 USDC • 1 total finding • Sherlock • Brenzee

#18

high

Liquidator can seize the whole collateral or collateral up to 200% of debt value during liquidation

Jun '24

Size

Size

205.39 USDC • 3 total findings • Code4rena • Brenzee

#41

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

high

When `sellCreditMarket()` is called to sell credit for a specific cash amount, the protocol might receive a lower swapping fee than expected.

medium

LiquidateWithReplacement does not charge swap fees on the borrower

Apr '24

NOYA

NOYA

19.18 USDC + NOYA stars • 1 total finding • Code4rena • Brenzee

#82

medium

`AccountingManager#totalWithdrawnAmount` should reflect tokens actually transferred to users, instead of expected transfers

TITLES Publishing Protocol

TITLES Publishing Protocol

3.52 USDC • 1 total finding • Sherlock • Brenzee

#52

high

Attacker can mint the whole supply of Work tokens for a price of one token

Feb '24

Spectra

Spectra

53.72 USDC • 1 total finding • Code4rena • Brenzee

#20

medium

PrincipalToken is not ERC-5095 compliant

Althea Liquid Infrastructure

Althea Liquid Infrastructure

7.18 USDC • 1 total finding • Code4rena • Brenzee

#34

high

Holders array can be manipulated by transferring or burning with amount 0, stealing rewards or bricking certain functions

Dec '23

Revolution Protocol

Revolution Protocol

80.96 USDC • 2 total findings • Code4rena • Brenzee

#46

medium

Once EntropyRateBps is set too high, can lead to denial-of-service (DoS) due to an invalid ETH amount

medium

`ERC20TokenEmitter::buyToken` function mints more tokens to users than it should do

Nov '23

Nouns Builder

Nouns Builder

1,056.63 USDC • 1 total finding • Sherlock • Brenzee

#6

high

Specific bid amounts will not allow the auction to be settled and will DoS the Auction contract

Sep '23

Venus Prime

Venus Prime

983.5 USDC • 2 total findings • Code4rena • Brenzee

bronze

high

Incorrect decimal usage in score calculation leads to reduced user reward earnings

high

Prime.sol - User can claim Prime token without having any staked XVS, because his `stakedAt` isn't reset whenever he is issued an irrevocable token.

Delegate

Delegate

40.13 USDC • Code4rena • Brenzee

#9

Aug '23

Dopex

Dopex

655.01 USDC • 1 total finding • Code4rena • Brenzee

#30

medium

No slippage protection for bonders

veRWA

veRWA

211.91 USDC • 1 total finding • Code4rena • Brenzee

#19

high

When adding a gauge, its initial value has to be set by an admin or all voting power towards it will be lost

Jul '23

Amphora Protocol

Amphora Protocol

9.43 USDC • Code4rena • Brenzee

#23

Index Update

Index Update

462.66 USDC • 1 total finding • Sherlock • Brenzee

#7

medium

Price is not calculated correctly according to the documentation in the contract

PoolTogether

PoolTogether

1,896.9 USDC • 1 total finding • Code4rena • Brenzee

#11

high

Vault is not compatible with some erc4626 vaults

Tapioca DAO

Tapioca DAO

123.66 USDC • 1 total finding • Code4rena • Brenzee

#72

high

Potential 99.5% loss in `emergencyWithdraw()` of two Yieldbox strategies

Basin

Basin

135.79 USDC • 1 total finding • Code4rena • Brenzee

#17

high

Pumps are not updated in the shift() and sync() functions, allowing oracle manipulation

Jun '23

Lybra Finance

Lybra Finance

432.66 USDC • 3 total findings • Code4rena • Brenzee

#26

medium

If `ProtocolRewardsPool` is insufficient in EUSD, users will not be able to calim any rewards

medium

It is possible to manipulate WETH/LBR pair to claim reward of the users which shouldn't be claimed

medium

Incorrect Reward Distribution Calculation in `ProtocolRewardsPool`

May '23

Iron Bank

Iron Bank

0.03 USDC • 2 total findings • Sherlock • Brenzee

#23

medium

Chainlink's latestRoundData is not validated

medium

Chainlink's L2 sequencer is not checked if it is down

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

72.30 USDC • 6 total findings • Sherlock • Brenzee

#27

high

`StaticOracle` contract address is incorrect in `StableOracleWBGL` and `StableOracleDAI` contracts

high

Wrong decimals are assumed for `latestRoundData` in `StableOracleDAI` oracle

high

`StableOracleDAI` - ETH/DAI price is fetched instead of DAI/ETH

high

Anyone can mint more USSD tokens

high

`USSD.UniV3SwapInput` executes Uniswap V3 swap without slippage protection

medium

Chainlink's latestRoundData might be stale or incorrect

Index

Index

0.17 USDC • 1 total finding • Sherlock • Brenzee

#25

medium

Chainlink's `latestAnswer` function is deprecated

Venus Protocol Isolated Pools

Venus Protocol Isolated Pools

258.7 USDC • 2 total findings • Code4rena • Brenzee

#32

high

Incorrect `blocksPerYear` constant in `WhitepaperInterestRateModel`

medium

ShortFall contract might transfer incorrect amount of tokens to the highest bidder.

Ajna Protocol

Ajna Protocol

36.24 USDC • Code4rena • Brenzee

#49

Footium

Footium

115.81 USDC • 1 total finding • Sherlock • Brenzee

#21

high

Previous owner of the club can steal tokens that he approved on

Apr '23

Blueberry Update

Blueberry Update

10.74 USDC • 1 total finding • Sherlock • Brenzee

#16

medium

No checks if Arbitrum sequencer is down in Chainlink feeds

JOJO Exchange

JOJO Exchange

190.39 USDC • 1 total finding • Sherlock • Brenzee

#36

medium

`Subaccount` contract and `Subaccount.execute` cannot receive ETH tokens

Caviar Private Pools

Caviar Private Pools

664.13 USDC • 2 total findings • Code4rena • Brenzee

#12

medium

Pool tokens can be stolen via `PrivatePool.flashLoan` function from previous owner

medium

`changeFeeQuote` will fail for low decimal ERC20 tokens

Mar '23

Asymmetry contest

Asymmetry contest

16.62 USDC • 1 total finding • Code4rena • Brenzee

#107

high

An attacker can manipulate the preDepositvePrice to steal from other users.