https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/0233dceb-d2ea-42db-bcd4-402651ddbade.jpg

Feder

Security Researcher

Mathematician | Web3 Full Stack Developer | Security Researcher

Contact Me

High

13

Total

Medium

14

Total

$868.00

Total Earnings

#1295 All Time

9x

Payouts

regular

2x

Top 25

regular

6x

Top 50

All

Sherlock

Code4rena

CodeHawks

Feb '25

Core Contracts

Core Contracts

102.68 usdc • 17 total findings • CodeHawks • federodes

#137

high

Users Can Overwrite Existing Locks in veRAACToken Resulting in Permanent Loss of Funds

high

Reward manipulation vulnerability in StabilityPool

high

Ownership Parameter Mismatch in LendingPool’s Vault Withdrawal Logic

high

Treasury Balance Tracking Bypass in FeeCollector

high

Attackers can double voting power and veToken amount by locking and increasing

high

Users can lose additional collateral by depositing NFTs after grace period expiration

medium

Missing Boost Balance and other parameters Update in veRAACToken Functions. Incomplete Boost State Updates Result in Inaccurate Voting Power and Reward Distribution

medium

LendingPool deposits do not work with CurveVault due to lack of funds

medium

Liquidation Cannot Be Closed Even With Healthy Position Due To Strict Debt Check

medium

There is no logic checking for RAACNFT price staleness before minting it

medium

Concurrent Oracle Fulfillments Overwrite House IDs, which leads to Incorrect Pricing

medium

Token Accounting Mismatch Between tick() and mintRewards() in RAACMinter

medium

[L-1] Inaccurate boost calculations in `veRAACToken` due to wrong input parameter

low

Unauthorized Vote Casting Vulnerability

low

Missing Pause Functionality in veRAACToken Contract Can Be Abused When Emergency Withdrawal Mechanism Is Activated

low

Incorrect Timestamp Tracking in RAACHousePrice contract

low

Incorrect Values Returned in ReserveLibrary `withdraw` Function

Jan '25

Liquid Ron

Liquid Ron

0 USDC • 1 total finding • Code4rena • federodes

#12

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Part 2

Part 2

19.35 usdc • 1 total finding • CodeHawks • federodes

#61

medium

Fee Recipient Shares Cannot Be Decreased When Total Fee recipients’s share is at Max Limit

Nov '24

Debita Finance V3

Debita Finance V3

25.53 USDC • 2 total findings • Sherlock • Feder

#41

medium

Attacker can DoS in `DebitaLendOffer-Implementation::cancelOffer` Locking Users Funds

medium

Incentive Exploit via Matching Lend and Borrow Offers

Sep '24

Liquid Staking

Liquid Staking

474.40 USDC • 2 total findings • CodeHawks • federodes

#22

high

No LSTs transfer on node operator withdrawals resulting in stuck funds and loss for node operators

low

No way to update unbonding and claim periods

Flayer

Flayer

205.11 USDC • 2 total findings • Sherlock • Feder

#45

high

Failure to Delete Old Listings in `Listings::reserve` Allows Unauthorized Withdrawal of Reserved Items

high

Any user calling the `Locker::initializeCollection` function will loose both their ERC721 tokens and the ETH (WETH) they provide.

Aug '24

Phi

Phi

37.57 USDC • 4 total findings • Code4rena • federodes

#30

high

`shareBalance` bloating eventually blocks curator rewards distribution

medium

`PhiFactory:claim` Potentially Causing Loss of Funds If `mintFee` Changed Beforehand

medium

Refunds sent to incorrect addresses in certain cases

medium

Incorrect Fee Handling Prevents Protocol from Updating Fees

Winnables Raffles

Winnables Raffles

3.82 USDC • 1 total finding • Sherlock • Feder

#34

high

[H-01] Incorrect Parameters in `WinnablesTicketManager::propagateRaffleWinner` Can Block Prize Claims

Jul '24

TraitForge

TraitForge

0 USDC • 2 total findings • Code4rena • federodes

#89

high

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

high

Wrong minting logic based on total token count across generations