https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/675391f9-cbc0-4d1a-b98e-215a4196f5de.jpg

GimelSec

Security Researcher

blockchain security & smart contract audits contact us: info@gimelsec.com

Contact Me

High

1

Solo

36

Total

Medium

1

Solo

71

Total

$105.80K

Total Earnings

#85 All Time

52x

Payouts

gold

1x

1st Places

silver

2x

2nd Places

bronze

4x

3rd Places

All

Sherlock

Code4rena

Nov '23

Convergence

Convergence

1,888.86 USDC • 1 total finding • Sherlock • GimelSec

#7

high

`SdtStakingPositionService.processSdtRewards` could record the wrong amount of sdt reward.

Sep '23

Allo V2

Allo V2

769.94 USDC • 6 total findings • Sherlock • GimelSec

#6

high

`QVSimpleStrategy` never updates `allocator.voiceCredits`.

high

`recipientsCounter` should start from 1 in `DonationVotingMerkleDistributionBaseStrategy`

medium

`RFPSimpleStrategy._distribute` may fail due to wrong check of enough funds

medium

`RFPSimpleStrategy._registerRecipient` always reverts if `useRegistryAnchor` is true

medium

`QVBaseStrategy._qv_allocate` miscalculate `voiceCreditsCastToRecipient`

medium

`RFPSimpleStrategy.setMilestones` can only be called once

Jun '23

GLIF

GLIF

1,199.95 USDC • Sherlock • GimelSec

#6

Findings not publicly available for private contests.

Unstoppable

Unstoppable

4,388.20 USDC • 4 total findings • Sherlock • GimelSec

gold

high

`Vault._update_debt` doesn't accumulate any interest.

high

`reduce_margin_by_amount` in `Vault.reduce_position` is wrongly calculated

high

The reduced margin doesn't return to the trader in `Vault.reduce_position`.

medium

`Vault._amount_per_base_lp_share` should also consider bad debt when `safety_module_lp_total_amount` is not enough

May '23

Eco Protocol

Eco Protocol

571.13 USDC • 1 total finding • Sherlock • GimelSec

bronze

high

`L1ECOBridge.inflationMultiplier` may be stale.

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

153.02 USDC • 6 total findings • Sherlock • GimelSec

#15

high

`StableOracleWBTC` uses the wrong Chainlink priceFeed

high

Anyone can call `USSD.mintRebalancer` and `USSD.burnRebalancer`. An attacker can use it to block others from minting tokens.

medium

`USSDRebalancer.BuyUSSDSellCollateral` should check `collateral[i].pathsell.length` in else path as well.

medium

`latestRoundData` could return stale or incorrect result

medium

`USSD.mintForToken` should have a `minAmountReceived`.

medium

`USSDRebalancer.SellUSSDBuyCollateral` should confirm that `collateral[i].pathbuy` is not empty

Footium

Footium

236.29 USDC • 2 total findings • Sherlock • GimelSec

#16

medium

Transfer in `FootiumPrizeDistributor.claimERC20Prize()` could fail and cause the loss of user’s funds

medium

The leaf value of `clubDivsMerkleTree` should not be exactly 64 bytes long prior to hashing

Mar '23

Kairos Loan

Kairos Loan

2,266.83 USDC • 2 total findings • Sherlock • GimelSec

silver

medium

`ClaimFaucet.sendInterests` could be unfair if `interests == loan.payment.minInterestsToRepay`

medium

`toPay` may drop to 0, some ERC20 cannot transfer 0, resulting in failure to liquidate.

Taurus

Taurus

1,294.45 USDC • 3 total findings • Sherlock • GimelSec

bronze

high

The decimals of collateral may different from 1e18, causing the user to borrow more than the real amount that can be borrowed.

medium

`currentMinted` doesn't return to zero.

medium

`swap()` will be reverted if `path` has more tokens.

Feb '23

Surge

Surge

344.13 USDC • 4 total findings • Sherlock • GimelSec

#5

high

Attackers can manipulate loan token price per share to take an unfair share of future users.

high

If the decimals of collateral tokens is much higher than the decimals of loan tokens, the collateral ratio could be very low.

medium

`feeRecipient` could be address(0) when `_feeMantissa` > 0

medium

Wrong calculation of `_accruedFeeShares`

Hats

Hats

927.93 USDC • 4 total findings • Sherlock • GimelSec

#7

high

`reconcileSignerCount()` would be blocked if `validSignerCount > maxSigners`, Safe would not be able to execute any transactions, all assets would be locked.

high

`checkAfterExecution()` will always be reverted, Safe would not be able to execute any transactions, all assets would be locked.

medium

Nested linked trees could cause recursion stack overflow

medium

An inconsistency in the behaviour of `balanceOf()` and `balanceOfBatch()`.

OlympusDAO

OlympusDAO

521.34 USDC • 4 total findings • Sherlock • GimelSec

#14

high

`userRewardDebts` shouldn’t be cleared before setting `cachedUserRewards`

high

`cachedUserRewards` and `userRewardDebts` shouldn’t be divided by 1e18 in `internalRewardsForToken()` and `externalRewardsForToken()

medium

`_accumulateInternalRewards()` could revert if `block.timestamp > rewardToken.lastRewardTime`

medium

Faulty math in `internalRewardsForToken()` leads to Denial of Service

Blueberry

Blueberry

83.05 USDC • 1 total finding • Sherlock • GimelSec

#33

high

Lenders didn't receive their interest.

OpenQ

OpenQ

1,182.19 USDC • 6 total findings • Sherlock • GimelSec

#14

high

`BountyCore.receiveFunds` only checks `_volume != 0` when `_tokenAddress == address(0)`. Malicious users can create many deposits without depositing any funds.

high

A refunded NFT could block `ClaimManagerV1.claimBounty`

high

A malicious User can deposit a malicious erc20 token to DOS the bounty

high

A malicious user can block other users from calling `refundDeposit()`

medium

Refunding NFT doesn't decrease the length of nftDeposits. A malicious user can block other users from depositing any NFT.

medium

`setPayoutScheduleFixed`, `setPayoutSchedule` Unable to resize to fewer tiers

Jan '23

UXD Protocol

UXD Protocol

555.97 USDC • 5 total findings • Sherlock • GimelSec

#14

high

Anyone can call `rebalance()` to get excess tokens when `shortFall < 0`, these excess tokens are not used in `rebalance()`

high

User/Gov's quoteToken allowance which is approved for `depositInsurance()` will be maliciously used on `rebalance()`

medium

`rebalance()` will always be reverted because `_rebalanceNegativePnlWithSwap()` doesn't approve assetToken for spotSwapper

medium

`rebalance()` will always be reverted because it doesn't approve quoteToken for vault

medium

The calculation of `feeAmount ` is incorrect in `Perp._placePerpOrder`

Dec '22

Rain

Rain

90.80 USDC • Sherlock • GimelSec

#10

Findings not publicly available for private contests.

Nov '22

Isomorph

Isomorph

158.78 USDC • 2 total findings • Sherlock • GimelSec

#19

medium

Wrong `CHANGE_COLLATERAL_DELAY` in CollateralBook

medium

Misconfiguration in RoleControl constructor of isoUSDToken

Bull v Bear

Bull v Bear

472.32 USDC • 4 total findings • Sherlock • GimelSec

#7

high

Malicious Bulls can use `transferPosition()` to bypass `checkIsValidOrder()`.

high

Attackers can use `reclaimContract()` to transfer assets in protocol to address(0)

medium

It should store contractId instead of recipient in `withdrawableCollectionTokenId`

medium

It doesn't handle fee-on-transfer/deflationary tokens

Oct '22

Rage Trade

Rage Trade

2,679.08 USDC • 2 total findings • Sherlock • GimelSec

bronze

high

If a user approves junior vault tokens to WithdrawPeriphery, anyone can withdraw/redeem his/her token

medium

Attackers can manipulate ERC4626 price per share to take an unfair share of future users.

NFTPort

NFTPort

12,726.50 USDC • 3 total findings • Sherlock • GimelSec

#5

medium

Template implementations doesn't validate configurations properly

medium

Attackers can bypass `tokensPerMint` and mint lots of tokens in a transaction

medium

`ERC1155NFTProduct` does not support full functionality of `ERC1155`

Union Finance

Union Finance

154.42 USDC • 1 total finding • Sherlock • GimelSec

#18

medium

`removeAdapter()` doesn't pop the market index in `withdrawSeq`, leading to users not being able to call withdraw

Sep '22

VTVL contest

VTVL contest

0.74 USDC • 1 total finding • Code4rena • GimelSec

#81

medium

Supply cap of VariableSupplyERC20Token is not properly enforced

Notional

Notional

40,167.14 USDC • 1 total finding • Sherlock • GimelSec

#12

medium

Price oracle could get a stale price

Nouns Builder contest

Nouns Builder contest

165.49 USDC • 1 total finding • Code4rena • GimelSec

#62

medium

A proposal can be cancelled by anyone if the proposal has exactly proposalThreshold votes

Aug '22

Sentiment

Sentiment

670.34 USDC • 2 total findings • Sherlock • GimelSec

#14

high

`LEther.sol` doesn't properly call `updateState()` upon receiving ether

medium

Price oracle could get a stale price

Nouns DAO contest

Nouns DAO contest

52.11 USDC • Code4rena • GimelSec

#37

Jul '22

Golom contest

Golom contest

2,198.77 USDC • Code4rena • GimelSec

#9

Swivel v3 contest

Swivel v3 contest

3,285.36 USDC • 2 total findings • Code4rena • GimelSec

bronze

medium

VaultTracker miscalculates compounding interest

medium

VaultTracker has the wrong admin

ENS contest

ENS contest

4,497.99 USDC • 5 total findings • Code4rena • GimelSec

#4

medium

transfer() depends on gas consts

medium

`DNSSECImpl.verifySignature` compares strings incorrectly, allowing malicious zones to forge DNSSEC trust chain

medium

Incorrect implementation of `RRUtils.serialNumberGte`

medium

Renew of 2nd level domain is not done properly

medium

BytesUtil.compare returns wrong result on some strings longer than 32 characters

Juicebox V2 contest

Juicebox V2 contest

145.09 USDC • Code4rena • GimelSec

#36

Jun '22

Putty contest

Putty contest

47.15 USDC • Code4rena • GimelSec

#75

Yieldy contest

Yieldy contest

81.19 USDC • Code4rena • GimelSec

#50

Illuminate contest

Illuminate contest

240.35 USDC • 2 total findings • Code4rena • GimelSec

#34

high

ERC5095 redeem/withdraw does not update allowances

high

Able to mint any amount of PT

Badger-Vested-Aura contest

Badger-Vested-Aura contest

3,884.05 USDC • 3 total findings • Code4rena • GimelSec

silver

high

attacker can call sweepRewardToken() when `bribesProcessor==0` and reward funds will be lost because there is no check in sweepRewardToken() and _handleRewardTransfer() and _sendTokenToBribesProcessor()

medium

`_harvest` has no slippage protection when swapping `auraBAL` for `AURA`

medium

Badger rewards from Hidden Hand can permanently prevent Strategy from receiving bribes

Infinity NFT Marketplace contest

Infinity NFT Marketplace contest

1,084.14 USDC • 3 total findings • Code4rena • GimelSec

#11

high

Sellers may lose NFTs when orders is matched with `matchOrders()`

high

Overpayment of native ETH is not refunded to buyer

high

Calling `unstake()` can cause locked funds

Connext Amarok contest

Connext Amarok contest

255.69 USDC • 1 total finding • Code4rena • GimelSec

#31

medium

`LibDiamond.diamondCut()` should check `diamondStorage().acceptanceTimes[keccak256(abi.encode(_diamondCut))] != 0`

Notional x Index Coop

Notional x Index Coop

352.01 USDC • Code4rena • GimelSec

#14

May '22

veToken Finance contest

veToken Finance contest

99.92 USDT • Code4rena • GimelSec

#53

Velodrome Finance contest

Velodrome Finance contest

157.93 USDC • Code4rena • GimelSec

#33

Rubicon contest

Rubicon contest

1,207.28 USDC • 7 total findings • Code4rena • GimelSec

#14

medium

Inconsistent Order Book Accounting When Working With Transfer-On-Fee or Deflationary Tokens

medium

Cannot deposit to BathToken if token is Deflationary Token (BathHouse.sol)

medium

RubiconRouter: Excess ether did not return to the user

medium

No cap on fees can result in a DOS in BathToken.withdraw()

medium

Deprecated variables may cause DoS

medium

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

medium

Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter

Sturdy contest

Sturdy contest

83.1 USDC • 1 total finding • Code4rena • GimelSec

#31

high

The check for value transfer success is made after the return statement in _withdrawFromYieldPool of LidoVault

Aura Finance contest

Aura Finance contest

233.12 USDC • Code4rena • GimelSec

#42

Cally contest

Cally contest

2,689.77 USDC • 8 total findings • Code4rena • GimelSec

#9

medium

Expiration calculation overflows if call option duration ≥ 195 days

medium

It shouldn’t be possible to create a vault with Cally’ own token

medium

`createVault()` does not confirm whether `tokenType` and `token`’s type are the same

medium

Use safeTransferFrom instead of transferFrom for ERC721 transfers

medium

Owner can modify the feeRate on existing vaults and steal the strike value on exercise

medium

Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

medium

Vault is Not Compatible with Fee Tokens and Vaults with Such Tokens Could Be Exploited

medium

User's may accidentally overpay in `buyOption()` and the excess will be paid to the vault creator

Enso Finance contest

Enso Finance contest

4,688.85 USDT • Code4rena • GimelSec

#8

Alchemix contest

Alchemix contest

1,139.27 DAI • Code4rena • GimelSec

#11

FactoryDAO contest

FactoryDAO contest

502.05 DAI • 3 total findings • Code4rena • GimelSec

#16

high

SpeedBumpPriceGate: Excess ether did not return to the user

medium

MerkleResistor: zero coinsPerSecond will brick tranche initialization and withdrawals

medium

amount requires to be updated to contract balance increase (1)

Cudos contest

Cudos contest

871.71 USDC • 1 total finding • Code4rena • GimelSec

#15

medium

Protocol doesn't handle fee on transfer tokens

Forgotten Runes Warrior Guild contest

Forgotten Runes Warrior Guild contest

588.54 USDC • 1 total finding • Code4rena • GimelSec

#19

medium

Critical variables shouldn't be changed after they are set

bunker.finance contest

bunker.finance contest

507.3 USDC • 1 total finding • Code4rena • GimelSec

#6

medium

Chainlink pricer is using a deprecated API

Apr '22

PoolTogether Aave v3 contest

PoolTogether Aave v3 contest

1,778.23 USDC • 1 total finding • Code4rena • GimelSec

#4

medium

Owner or Managers can rug Aave rewards

Mimo DeFi contest

Mimo DeFi contest

140.08 USDC • Code4rena • GimelSec

#22

AbraNFT contest

AbraNFT contest

1,317.69 MIM • 2 total findings • Code4rena • GimelSec

#9

high

Critical Oracle Manipulation Risk by Lender

medium

Reentrancy at _requestLoan allows requesting a loan without supplying collateral