https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/2ac71357-923c-49c9-970e-67f402f64ec5.jpg

EgisSecurity

Security Researcher

Smart Contract Security Team led by @nmirchev8 and @dethSCA

Contact Me

High

1

Solo

15

Total

Medium

19

Total

$45.25K

Total Earnings

#193 All Time

7x

Payouts

gold

3x

1st Places

bronze

1x

3rd Places

regular

5x

Top 10

All

Sherlock

Feb '25

Stealth

Stealth

37,000 USDC • Sherlock • EgisSecurity

gold

Findings not publicly available for private contests.

Dec '24

Autonomint Colored Dollar V1

Autonomint Colored Dollar V1

95.75 OP • 4 total findings • Sherlock • EgisSecurity

#23

high

borrowing::liquidate - `lastEventTime` isn't updated after `calculateCumulativeRate` is called

high

`GlobalVariables` may be compromised, if there are concurrent in-flight messages

medium

borrowing::depositTokens - `calculateCumulativeRate` is called after borrower has been added

medium

borrowing::_withdraw - `lastEventTime` is updated before calling `calculateCumulativeRate`

Aug '24

ZeroLend One

ZeroLend One

12.11 USDC • 1 total finding • Sherlock • EgisSecurity

#43

medium

Positions, which are using assets with large heartbeat may accrue bad debt

Sentiment V2

Sentiment V2

1,153.21 USDC • 9 total findings • Sherlock • EgisSecurity

#10

high

Exploiter can always bypass `LIQUIDATION_DISCOUNT` and always seize all collateral

medium

Exploiter can force user into unhealthy condition and liquidate him

medium

SuperPoolFactory

medium

Under certain circumstances bad debt will cause first depositor to lose funds

medium

Pool::liquidate()

medium

`SuperPool` has a `togglePause` function, but lack `whenNotPaused` modifier

medium

Liquidators won't have incentive to repay positions under some conditions

medium

`SuperPool#convertToShares` violates ERC4626

medium

Use can grief `SuperPool#reallocate` for USDT because it doesn't use `forceApprove`

May '24

Sophon Farming Contracts

Sophon Farming Contracts

2,985.94 USDC • 3 total findings • Sherlock • EgisSecurity

gold

high

Many cases `stEth::transferFrom` will transfer 1-2 less way, which would result in revert in consequent functions, because of not enough balance

high

Loss of funds when deposit flow uses `_ethTOeEth`, because deposit amount is not handled correctly

medium

SophonFarming.sol

Gamma - Locked Staking Contract

Gamma - Locked Staking Contract

133.81 USDC • 1 total finding • Sherlock • EgisSecurity

bronze

medium

Malicious actor can use block stuffing to force staker into another cycle

Apr '24

Teller Finance

Teller Finance

3,871.54 USDC • 16 total findings • Sherlock • EgisSecurity

gold

high

`LenderCommitmentGroup_Smart.sol::burnSharesToWithdrawEarnings` steal previous depositors funds

high

TellerV2.sol

high

LenderCommitmentGroup_Smart.sol#liquidateDefaultedLoanWithIncentive()

high

LenderCommitmentGroup_Smart.sol

high

LenderCommitmentGroup_Smart.sol

high

LenderCommitmentGroup_Smart.sol#getCollateralRequiredForPrincipalAmount()

high

If `repayLoanCallback` address doesn't implement `repayLoanCallback` try/catch won't go into the catch and will revert the tx

high

Unchecked `transferFrom` value may lead to borrower falsy repaying loan

high

`LendderCommitmentGroup::_calculateCollateralTokensAmountEq` may be manipulated

high

LenderCommitmentGroup_Smart.sol#liquidateDefaultedLoanWithIncentive()

medium

User can easily DoS `FlashRolloverLoan_G5` for USDT loans

medium

__Ownable_init is missing in LenderCommitmentGroup_Smart and TellerV2

medium

TellerV2.sol#lenderAcceptBid()

medium

`FlashRolloverLoan_G5::_acceptCommitment` with `smartCommitmentAddress` uses wrong signature

medium

LenderCommitmentGroup_Smart.sol#_generateTokenNameAndSymbol()

medium

LenderCommitmentGroup_Smart.sol#__valueOfUnderlying()

Nov '23

Wasabi-Solana

Wasabi-Solana

Collaborative Audit • Sherlock • EgisSecurity