https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/568a4a88-f13b-4696-8d55-8bfcbbe403b9.jpg

Franfran

Security Researcher

https://t.co/5mGQCkU6OT

Contact Me

High

14

Total

Medium

22

Total

$42.24K

Total Earnings

#213 All Time

28x

Payouts

silver

1x

2nd Places

regular

8x

Top 10

regular

15x

Top 25

All

Code4rena

Mar '25

Forte: Float128 Solidity Library

Forte: Float128 Solidity Library

506.6 USDC • 3 total findings • Code4rena • Franfran

#11

high

Sqrt function silently reverts the entire control flow when a packed float of 0 value is passed

high

Natural Logarithm Function Silently Accepts Invalid Non-Positive Inputs

high

Early 72-digit adjustment in sqrt will lead to incorrect result exponent calculation

Feb '25

Initia Cosmos

Initia Cosmos

1,652.81 USDC • 1 total finding • Code4rena • Franfran

#4

medium

Amino legacy signing method broken because of name mismatch

Feb '24

HydraDX

HydraDX

293.95 USDC • 1 total finding • Code4rena • Franfran

#13

medium

[M09] No slippage check in `remove_liquidity` function in omnipool can lead to slippage losses during liquidity withdrawal.

Aug '23

veRWA

veRWA

2,133.21 USDC • 1 total finding • Code4rena • Franfran

#5

medium

Replace old_sum_bias by old_bias

Jul '23

Chainlink Cross-Chain Contract Administration: Multi-signature Contract, Timelock and Call Proxies

Chainlink Cross-Chain Contract Administration: Multi-signature Contract, Timelock and Call Proxies

677.54 USDC • Code4rena • Franfran

#5

Jun '23

Canto

Canto

3,388.28 USDC • 1 total finding • Code4rena • Franfran

#4

high

Pre-defined limit is different from the spec.

May '23

Chainlink Cross-Chain Services: CCIP and ARM Network

Chainlink Cross-Chain Services: CCIP and ARM Network

929.19 USDC • Code4rena • Franfran

#25

Venus Protocol Isolated Pools

Venus Protocol Isolated Pools

123.22 USDC • 1 total finding • Code4rena • Franfran

#37

high

Incorrect `blocksPerYear` constant in `WhitepaperInterestRateModel`

Mar '23

Asymmetry contest

Asymmetry contest

166.09 USDC • 4 total findings • Code4rena • Franfran

#38

high

A temporary issue shows in the staking functionality which leads to the users receiving less minted tokens.

high

`WstEth` derivative assumes a ~1=1 peg of stETH to ETH

medium

No slippage protection on `stake()` in SafEth.sol

medium

Missing derivative limit and deposit availability checks will revert the whole `stake()` function

zkSync Era System Contracts contest

zkSync Era System Contracts contest

1,968.25 USDC • 1 total finding • Code4rena • Franfran

#9

medium

deploying contracts with forceDeployOnAddress will break contracts when callConstructor is false

Feb '23

Ethos Reserve contest

Ethos Reserve contest

61.26 USDC • Code4rena • Franfran

#33

Jan '23

Reserve contest

Reserve contest

4,418.17 USDC • 1 total finding • Code4rena • Franfran

#10

medium

[Medium - 1] Too few rewards paid over periods in Furnace and StRSR

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

315.87 USDC • 1 total finding • Code4rena • Franfran

#32

medium

[Medium-3] Non-compliance with EIP-4337

Dec '22

Papr contest

Papr contest

387.25 USDC • 1 total finding • Code4rena • Franfran

#20

medium

`PaprController` pays swap fee in `buyAndReduceDebt`, not user

GoGoPool contest

GoGoPool contest

1,375.59 USDC • 6 total findings • Code4rena • Franfran

#22

high

Hijacking of node operators minipool causes loss of staked funds

high

node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle

medium

Users may not be able to redeem their shares due to underflow

medium

Cancellation of minipool may skip MinipoolCancelMoratoriumSeconds checking if it was cancelled before

medium

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

medium

Recreated pools receive a wrong AVAX amount due to miscalculated compounded liquid staker amount

Caviar contest

Caviar contest

52.93 USDC • 2 total findings • Code4rena • Franfran

#40

high

First depositor can break minting of shares

medium

Rounding error in buyQuote might result in free tokens

Escher contest

Escher contest

0.84 USDC • 1 total finding • Code4rena • Franfran

#70

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

Nov '22

ParaSpace contest

ParaSpace contest

3,189.43 USDC • 2 total findings • Code4rena • Franfran

#11

high

Discrepency in the Uniswap V3 position price calculation because of decimals

medium

During oracle outages or feeder outages/disagreement, the `ParaSpaceFallbackOracle` is not used

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

935.9 USDC • 2 total findings • Code4rena • Franfran

#20

medium

Calling `updateNodeRunnerWhitelistStatus` function always reverts

medium

rotateNodeRunnerOfSmartWallet is vulnerable to a frontrun attack

Oct '22

Inverse Finance contest

Inverse Finance contest

24.6 USDC • 2 total findings • Code4rena • Franfran

#46

medium

Oracle assumes token and feed decimals will be limited to 18 decimals

medium

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Holograph contest

Holograph contest

0 USDC • Code4rena • Franfran

#44

Sep '22

VTVL contest

VTVL contest

0.74 USDC • 1 total finding • Code4rena • Franfran

#81

medium

Supply cap of VariableSupplyERC20Token is not properly enforced

Nouns Builder contest

Nouns Builder contest

106.18 USDC • Code4rena • Franfran

#87

Jul '22

Golom contest

Golom contest

35.17 USDC • Code4rena • Franfran

#86

Swivel v3 contest

Swivel v3 contest

3,352.01 USDC • 1 total finding • Code4rena • Franfran

silver

high

Mismatch in `withdraw()` between Yearn and other protocols can prevent Users from redeeming zcTokens and permanently lock funds

Fractional v2 contest

Fractional v2 contest

132.2 USDC • 1 total finding • Code4rena • Franfran

#57

medium

A VAULT OWNER CAN BE ALSO THE CONTROLLER AND ARBITRARILY SET THE SECONDARY MARKET ROYALTIES

Juicebox V2 contest

Juicebox V2 contest

18.28 USDC • 2 total findings • Code4rena • Franfran

#63

high

ORACLE DATA FEED CAN BE OUTDATED YET USED ANYWAYS WHICH WILL IMPACT ON PAYMENT LOGIC

medium

Use a safe transfer helper library for ERC20 transfers