https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/ac920ae1-15e8-4680-b812-0824c5692ed4.jpg

ExtraCaterpillar

Security Researcher

A smart contract auditor and blockchain enthusiast

Contact Me

High

Solo

Total

Medium

Solo

Total

$11.60K

Total Earnings

#506 All Time

6x

Payouts

1x

2nd Places

2x

Top 10

2x

Top 25

All

Sherlock

Cantina

CodeHawks

Jan '25

daao-contracts

7.2 USDC • 4 total findings • Cantina • ExtraCaterpillar

#83

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

Part 2

9,508.69 usdc • 18 total findings • CodeHawks • i_atiq

high

Incorrect Credit Capacity Validation in `VaultRouterBranch.redeem` Enables Locked Collateral Drainage

high

Underflow when updating credit delegation will result protocol DoS

high

Vaults weth reward is not distributed correctly

high

Incorrect Debt Check in `CreditDelegationBranch::settleVaultsDebt` Function

high

Total market debt > 0 when credit deposits > netusdissuance which breaks key protocol logic

high

Incorrect calculation in CreditDelegationBranch::withdrawUsdTokenFromMarket allows attacker mint any amount of usdz

high

Incorrect vault debt validation logic in rebalanceVaultsAssets causes reverts

high

UsdTokenSwapConfig::Data::usdcAvailableForEngine Increases but Never Used, Locking USDC Forever

medium

No way to set UsdTokenSwapConfig pd curve parameters

medium

`Market::configureConnectedVaults` Will Always Fail with Array Out of Bounds Error

medium

Incorrect weight assignment in Vault::updateVaultAndCreditDelegationWeight leads to overleveraging vault positions and insolvency

medium

Attacker can manipulate the amount of output tokens of users in ZlpVault

medium

CreditDelegationBranch::depositCreditForMarket cannot update market realized debt properly

medium

FeeConversionKeeper::performUpkeep May Exceed Gas Limit Due to Vault Updates

low

BaseAdapter::__BaseAdapter_init Should Use onlyInitializing, Not initializer

low

ZlpVault Does Not Fully Implement ERC-4626

low

VaultRouterBranch::getVaultCreditCapacity does not take zero return into account

low

Chainlink Keeper Cannot Process All Swap Logs in a Block

Dec '24

QuantAMM

1,995.95 op • 5 total findings • CodeHawks • i_atiq

high

Critical: Malicious user can delete all Users Deposited Liquidity.

high

Slight miscalculation in maxAmountsIn for Admin Fee Logic in UpliftOnlyExample::onAfterRemoveLiquidity Causes Lock of All Funds

high

Owner fee will be locked in `UpliftOnlyExample` contract due to incorrect recipient address in `UpliftOnlyExample::onAfterSwap`

medium

Missing initialize Function in UpliftOnlyExample Hook/Router

low

Inconsistent timestamp storage when the LPNFT is transferred.

Alchemix Transmuter

0.00 op • 1 total finding • CodeHawks • i_atiq

#31

low

Old router retains token allowance after update

Oku's New Order Types Contract Contest

4.76 OP • 5 total findings • Sherlock • ExtraCaterpillar

#33

high

Possible hash collision when creating order

high

A malicious user can steal all funds from `Bracket`, `StopLimit` and `OracleLess` contract

medium

Possible DoS in `AutomationMaster::getExchangeRate`

medium

`SafeERC20.safeApprove` reverts for changing existing approvals

medium

`PythOracle::currentValue` does not work as expected

Nov '24

Debita Finance V3

86.33 USDC • 4 total findings • Sherlock • ExtraCaterpillar

#31

medium

Malicious user can delete all lend orders from DLOFactory

medium

Lenders and Borrowers do not get correct incentives

medium

Borrower can deprive lender off interest in a loan

medium

Borrower has to pay more fee than intended to extend loan