https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/2b7d9adf-4714-4901-b912-a98a4436ccf8.jpg

Chom

Security Researcher

Some mysterious programmer | 🏰

Contact Me

High

16

Total

Medium

47

Total

$63.12K

Total Earnings

#136 All Time

59x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

bronze

1x

3rd Places

All

Sherlock

Code4rena

Oct '23

ENS

ENS

5.43 USDC • Code4rena • Chom

#20

Jul '23

Axelar Network

Axelar Network

1,956.96 USDC • 2 total findings • Code4rena • Chom

#7

medium

InterchainProposalExecutor.sol doesn't support non-evm address as caller or sender

medium

`RemoteAddressValidator` can incorrectly convert addresses to lower case

Mar '23

Canto Identity Subprotocols contest

Canto Identity Subprotocols contest

39.87 USDC • 1 total finding • Code4rena • Chom

#24

medium

Users can end up buying and paying for a different Tray than the one they were trying to acquire

Jan '23

OpenSea Seaport 1.2 contest

OpenSea Seaport 1.2 contest

140.67 USDC • Code4rena • Chom

#9

Dec '22

Caviar contest

Caviar contest

40.26 USDC • 1 total finding • Code4rena • Chom

#44

high

Liquidity providers may lose funds when adding liquidity

Escher contest

Escher contest

190.22 USDC • 3 total findings • Code4rena • Chom

#20

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

medium

selfdestruct() will not be available after EIP-4758

medium

NFTs mintable after Auction deadline expires

PoolTogether contest

PoolTogether contest

1,309.61 USDC • 1 total finding • Code4rena • Chom

#6

medium

When a smart contract calls CrossChainRelayerArbitrum.processCalls, excess submission fees may be lost

Maverick contest

Maverick contest

59.84 USDC • Code4rena • Chom

#13

Nov '22

LooksRare Aggregator contest

LooksRare Aggregator contest

36.34 USDC • Code4rena • Chom

#24

Oct '22

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

1,314.86 USDC • 2 total findings • Code4rena • Chom

#5

medium

Reward can be over- or undercounted in `extendPledge` and `increasePledgeRewardPerVote`

medium

Pledge may be out of reward due to the decay in veCRV balance. targetVotes is never reached.

Inverse Finance contest

Inverse Finance contest

24.6 USDC • 2 total findings • Code4rena • Chom

#46

medium

Oracle assumes token and feed decimals will be limited to 18 decimals

medium

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Holograph contest

Holograph contest

1,241.69 USDC • 3 total findings • Code4rena • Chom

#8

high

Failed job can't be recovered. NFT may be lost.

high

Gas price spikes cause the selected operator to be vulnerable to frontrunning and be slashed

medium

Bond tokens (HLG) can get permanently stuck in operator

3xcalibur contest

3xcalibur contest

2,206.31 USDC • Code4rena • Chom

#6

The Graph L2 bridge contest

The Graph L2 bridge contest

50.28 USDC • Code4rena • Chom

#15

Sep '22

Sherlock

Sherlock

774.97 USDC • 1 total finding • Sherlock • Chom

#5

medium

liquidExit may have an unexpected exit penalty if TrueFi adjusts the penalty or some human error

QuickSwap and StellaSwap contest

QuickSwap and StellaSwap contest

1,516.94 USDC • 1 total finding • Code4rena • Chom

#8

medium

Missing slippage control system. Users may lose a lot of funds due to front-running MEV bots.

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

1,247.88 USDC • 5 total findings • Code4rena • Chom

#5

medium

Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter

medium

Rewards delay release could cause yields steal and loss

medium

removeValidator() and removeMinter() may fail due to exceeding gas limit

medium

frxETHMinter: Non-conforming ERC20 tokens not recoverable

medium

`recoverEther` not updating `currentWithheldETH` breaks calculation of withheld amount for further deposits

VTVL contest

VTVL contest

60.78 USDC • 1 total finding • Code4rena • Chom

#44

medium

not able to create claim

Art Gobblers contest

Art Gobblers contest

55.2 USDC • Code4rena • Chom

#21

Harpie

Harpie

16.97 USDC • 1 total finding • Sherlock • Chom

#21

medium

Using ERC721 unsafe transferFrom will cause some NFT loss if the recipient can't accept ERC721 and won't execute onERC721Received in the recipient contract.

Y2k Finance contest

Y2k Finance contest

163.57 USDC • 2 total findings • Code4rena • Chom

#35

medium

It is possible that receiver and treasury can receive nothing when calling `withdraw` function due to division being performed before multiplication

medium

Different Oracle issues can return outdated prices

PartyDAO contest

PartyDAO contest

280 USDC • Code4rena • Chom

#19

Notional

Notional

1,157.89 USDC • 2 total findings • Sherlock • Chom

#8

medium

Unexpected behavior for UniV2Adapter, UniV3Adapter, and ZeroExAdapter when msgValue is not zero

medium

TradingModule oracle is missing check for stale price in roundID

FEI and TRIBE Redemption contest

FEI and TRIBE Redemption contest

33.58 USDC • Code4rena • Chom

#14

Canto Dex Oracle contest

Canto Dex Oracle contest

249.68 CANTO • 1 total finding • Code4rena • Chom

#8

medium

Hackers can deploy token with respective name as the stable one to impersonate the stable token

Nouns Builder contest

Nouns Builder contest

4,271.57 USDC • 7 total findings • Code4rena • Chom

bronze

high

Multiple vote checkpoints per block will lead to incorrect vote accounting

medium

A proposal can be cancelled by anyone if the proposal has exactly proposalThreshold votes

medium

`Governor` - Quorum could be less than intended

medium

Delegation should not be allowed to address(0)

medium

Precision is not enough for proposalThreshold and quorum. Collections with at least 20000 NFTs in total supply may have some trouble.

medium

Proposals can be bricked and Auctions stalled by bad settings

medium

Loss of Veto Power can Lead to 51% Attack

Aug '22

Sentiment

Sentiment

74.21 USDC • 2 total findings • Sherlock • Chom

#24

medium

If an asset is blocked from the transfer, using that asset as collateral will prevent liquidation

medium

Chainlink’s `latestRoundData` might return stale or incorrect results

Olympus DAO contest

Olympus DAO contest

54.31 USDC • Code4rena • Chom

#85

Nouns DAO contest

Nouns DAO contest

52.1 USDC • Code4rena • Chom

#38

FIAT DAO veFDT contest

FIAT DAO veFDT contest

44.84 USDC • Code4rena • Chom

#62

Fraxlend (Frax Finance) contest

Fraxlend (Frax Finance) contest

67 USDC • Code4rena • Chom

#56

Foundation Drop contest

Foundation Drop contest

135.24 USDC • 1 total finding • Code4rena • Chom

#17

medium

Possible to bypass saleConfig.limitPerAccount

Mimo August 2022 contest

Mimo August 2022 contest

106.78 USDC • Code4rena • Chom

#34

Rigor Protocol contest

Rigor Protocol contest

348.06 USDC • 1 total finding • Code4rena • Chom

#26

medium

Possible DOS in `lendToProject()` and `toggleLendingNeeded()` function because unbounded loop can run out of gas

Jul '22

Axelar Network v2 contest

Axelar Network v2 contest

11,259.63 USDC • 2 total findings • Code4rena • Chom

gold

medium

XC20Wrapper may lost received token forever if LocalAsset(xc20).mint is reverted indefinitely

medium

System will not work anymore after EIP-4758

Golom contest

Golom contest

35.32 USDC • Code4rena • Chom

#85

Yield Witch v2 contest

Yield Witch v2 contest

59.48 USDC • Code4rena • Chom

#19

Swivel v3 contest

Swivel v3 contest

46.82 USDC • Code4rena • Chom

#51

ENS contest

ENS contest

39.86 USDC • Code4rena • Chom

#70

Fractional v2 contest

Fractional v2 contest

42.43 USDC • 1 total finding • Code4rena • Chom

#92

medium

Delegate call in `Vault#_execute` can alter Vault's ownership

Juicebox V2 contest

Juicebox V2 contest

145.78 USDC • 2 total findings • Code4rena • Chom

#35

high

ORACLE DATA FEED CAN BE OUTDATED YET USED ANYWAYS WHICH WILL IMPACT ON PAYMENT LOGIC

medium

Use a safe transfer helper library for ERC20 transfers

Jun '22

Putty contest

Putty contest

79.74 USDC • Code4rena • Chom

#52

Canto v2 contest

Canto v2 contest

1,455.65 USDC • 2 total findings • Code4rena • Chom

#7

high

Oracle periodSize is very low allowing the TWAP price to be easily manipulated

high

getBorrowRate returns rate per year instead of per block

Nibbl contest

Nibbl contest

60.69 USDC • Code4rena • Chom

#23

Yieldy contest

Yieldy contest

406.89 USDC • 1 total finding • Code4rena • Chom

#24

medium

Cannot mint to exactly max supply using `_mint` function

Illuminate contest

Illuminate contest

771.42 USDC • 5 total findings • Code4rena • Chom

#20

high

Allowance check always true in ERC5095 redeem

high

Incorrect implementation of APWine and Tempus `redeem`

high

Able to mint any amount of PT

high

Funds may be stuck when `redeeming` for Illuminate

high

Illuminate PT redeeming allows for burning from other accounts

Nested Finance contest

Nested Finance contest

305.13 USDC • Code4rena • Chom

#5

Badger-Vested-Aura contest

Badger-Vested-Aura contest

147.12 USDC • 1 total finding • Code4rena • Chom

#18

medium

`_harvest` has no slippage protection when swapping `auraBAL` for `AURA`

Infinity NFT Marketplace contest

Infinity NFT Marketplace contest

80.32 USDC • Code4rena • Chom

#56

Canto contest

Canto contest

3,501.69 USDC • 3 total findings • Code4rena • Chom

#9

high

`lending-market/NoteInterest.sol` Wrong implementation of `getBorrowRate()`

high

Anyone can set the `baseRatePerYear` after the `updateFrequency` has passed

medium

Oracle may be attacked if an attacker can pump the tokens for the entire block

Connext Amarok contest

Connext Amarok contest

3,918.68 USDC • 2 total findings • Code4rena • Chom

#6

medium

_handleExecuteTransaction may not working correctly on fee-on-transfer tokens. Moreover, if it is failed, fund may be locked forever.

medium

Current implementation of arbitrary call execute failure handler may break some use case for example NFT bridge.

Notional x Index Coop

Notional x Index Coop

146.84 USDC • Code4rena • Chom

#23

May '22

Backd Tokenomics contest

Backd Tokenomics contest

177.75 USDC • Code4rena • Chom

#25

veToken Finance contest

veToken Finance contest

99.89 USDT • Code4rena • Chom

#54

Velodrome Finance contest

Velodrome Finance contest

2,093.14 USDC • 1 total finding • Code4rena • Chom

#13

medium

WeVE (FTM) may be lost forever if redemption process is failed

Rubicon contest

Rubicon contest

125.56 USDC • 1 total finding • Code4rena • Chom

#49

medium

`RubiconMarket.sol#isClosed()` always returns false, making the market can not be stopped as designed

OpenSea Seaport contest

OpenSea Seaport contest

4,262.12 USDC • Code4rena • Chom

#13

Aura Finance contest

Aura Finance contest

5,338.63 USDC • 1 total finding • Code4rena • Chom

#11

medium

Reward may be locked forever if user doesn't claim reward for a very long time such that too many epochs have been passed

Apr '22

Axelar Network contest

Axelar Network contest

9,189.69 USDC • 1 total finding • Code4rena • Chom

silver

high

Cross-chain smart contract calls can revert but source chain tokens remain burnt and are not refunded