Security Researcher
blockchain security & smart contract audits contact us: info@gimelsec.com
High
Solo
Total
Medium
Solo
Total
Total Earnings
#79 All Time
Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
Nov '23
Sep '23
high
`QVSimpleStrategy` never updates `allocator.voiceCredits`.
high
`recipientsCounter` should start from 1 in `DonationVotingMerkleDistributionBaseStrategy`
medium
`RFPSimpleStrategy._distribute` may fail due to wrong check of enough funds
medium
`RFPSimpleStrategy._registerRecipient` always reverts if `useRegistryAnchor` is true
medium
`QVBaseStrategy._qv_allocate` miscalculate `voiceCreditsCastToRecipient`
medium
`RFPSimpleStrategy.setMilestones` can only be called once
Jun '23
Findings not publicly available for private contests.
high
`Vault._update_debt` doesn't accumulate any interest.
high
`reduce_margin_by_amount` in `Vault.reduce_position` is wrongly calculated
high
The reduced margin doesn't return to the trader in `Vault.reduce_position`.
medium
`Vault._amount_per_base_lp_share` should also consider bad debt when `safety_module_lp_total_amount` is not enough
May '23
high
`StableOracleWBTC` uses the wrong Chainlink priceFeed
high
Anyone can call `USSD.mintRebalancer` and `USSD.burnRebalancer`. An attacker can use it to block others from minting tokens.
medium
`USSDRebalancer.BuyUSSDSellCollateral` should check `collateral[i].pathsell.length` in else path as well.
medium
`latestRoundData` could return stale or incorrect result
medium
`USSD.mintForToken` should have a `minAmountReceived`.
medium
`USSDRebalancer.SellUSSDBuyCollateral` should confirm that `collateral[i].pathbuy` is not empty
Mar '23
Feb '23
high
Attackers can manipulate loan token price per share to take an unfair share of future users.
high
If the decimals of collateral tokens is much higher than the decimals of loan tokens, the collateral ratio could be very low.
medium
`feeRecipient` could be address(0) when `_feeMantissa` > 0
medium
Wrong calculation of `_accruedFeeShares`
high
`reconcileSignerCount()` would be blocked if `validSignerCount > maxSigners`, Safe would not be able to execute any transactions, all assets would be locked.
high
`checkAfterExecution()` will always be reverted, Safe would not be able to execute any transactions, all assets would be locked.
medium
Nested linked trees could cause recursion stack overflow
medium
An inconsistency in the behaviour of `balanceOf()` and `balanceOfBatch()`.
high
`userRewardDebts` shouldn’t be cleared before setting `cachedUserRewards`
high
`cachedUserRewards` and `userRewardDebts` shouldn’t be divided by 1e18 in `internalRewardsForToken()` and `externalRewardsForToken()
medium
`_accumulateInternalRewards()` could revert if `block.timestamp > rewardToken.lastRewardTime`
medium
Faulty math in `internalRewardsForToken()` leads to Denial of Service
high
`BountyCore.receiveFunds` only checks `_volume != 0` when `_tokenAddress == address(0)`. Malicious users can create many deposits without depositing any funds.
high
A refunded NFT could block `ClaimManagerV1.claimBounty`
high
A malicious User can deposit a malicious erc20 token to DOS the bounty
high
A malicious user can block other users from calling `refundDeposit()`
medium
Refunding NFT doesn't decrease the length of nftDeposits. A malicious user can block other users from depositing any NFT.
medium
`setPayoutScheduleFixed`, `setPayoutSchedule` Unable to resize to fewer tiers
Jan '23
high
Anyone can call `rebalance()` to get excess tokens when `shortFall < 0`, these excess tokens are not used in `rebalance()`
high
User/Gov's quoteToken allowance which is approved for `depositInsurance()` will be maliciously used on `rebalance()`
medium
`rebalance()` will always be reverted because `_rebalanceNegativePnlWithSwap()` doesn't approve assetToken for spotSwapper
medium
`rebalance()` will always be reverted because it doesn't approve quoteToken for vault
medium
The calculation of `feeAmount ` is incorrect in `Perp._placePerpOrder`
Dec '22
Findings not publicly available for private contests.
Nov '22
high
Malicious Bulls can use `transferPosition()` to bypass `checkIsValidOrder()`.
high
Attackers can use `reclaimContract()` to transfer assets in protocol to address(0)
medium
It should store contractId instead of recipient in `withdrawableCollectionTokenId`
medium
It doesn't handle fee-on-transfer/deflationary tokens
Oct '22
Sep '22
Aug '22
Jul '22
medium
transfer() depends on gas consts
medium
`DNSSECImpl.verifySignature` compares strings incorrectly, allowing malicious zones to forge DNSSEC trust chain
medium
Incorrect implementation of `RRUtils.serialNumberGte`
medium
Renew of 2nd level domain is not done properly
medium
BytesUtil.compare returns wrong result on some strings longer than 32 characters
Jun '22
high
attacker can call sweepRewardToken() when `bribesProcessor==0` and reward funds will be lost because there is no check in sweepRewardToken() and _handleRewardTransfer() and _sendTokenToBribesProcessor()
medium
`_harvest` has no slippage protection when swapping `auraBAL` for `AURA`
medium
Badger rewards from Hidden Hand can permanently prevent Strategy from receiving bribes
May '22
medium
Inconsistent Order Book Accounting When Working With Transfer-On-Fee or Deflationary Tokens
medium
Cannot deposit to BathToken if token is Deflationary Token (BathHouse.sol)
medium
RubiconRouter: Excess ether did not return to the user
medium
No cap on fees can result in a DOS in BathToken.withdraw()
medium
Deprecated variables may cause DoS
medium
Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`
medium
Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter
medium
Expiration calculation overflows if call option duration ≥ 195 days
medium
It shouldn’t be possible to create a vault with Cally’ own token
medium
`createVault()` does not confirm whether `tokenType` and `token`’s type are the same
medium
Use safeTransferFrom instead of transferFrom for ERC721 transfers
medium
Owner can modify the feeRate on existing vaults and steal the strike value on exercise
medium
Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert
medium
Vault is Not Compatible with Fee Tokens and Vaults with Such Tokens Could Be Exploited
medium
User's may accidentally overpay in `buyOption()` and the excess will be paid to the vault creator
Apr '22