Hacek00

Security Researcher

Contact Me

High

Total

Medium

Solo

Total

$978.00

Total Earnings

#1238 All Time

12x

Payouts

1x

3rd Places

2x

Top 10

6x

Top 25

All

Sherlock

Code4rena

CodeHawks

Hats Finance

Jan '25

Liquid Ron

0 USDC • 1 total finding • Code4rena • itsabinashb

#12

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Dec '24

SecondSwap

4.02 USDC • 4 total findings • Code4rena • itsabinashb

#57

high

Users can claim more that their actual allotment

medium

Listing potential can not be purchased with discounted price

medium

maxSellPercent can be buypassed by selling previously bought vestings at a later time

medium

Incorrect listing type validation bypasses enforcement of minimum purchase amount

Nov '24

Nouns DAO - Auction Streams

7.27 USDC • Sherlock • Hacek00

#57

Telcoin Update #2

9.08 USDC • Sherlock • Hacek00

#45

Euro Dollar

299.9 USDC • 1 total finding • Hats • 0xAbinash

medium

Malicious BLACKLISTER_ROLE can temporarily block burning mechanism blacklisting address(0)

Sep '24

Boost Core Incentive Protocol

23.07 USDC • 1 total finding • Sherlock • Hacek00

#22

high

There is no logic to call clawBack() in few base incentive contracts

Aug '24

Tadle

74.03 USDC • 9 total findings • CodeHawks • itsabinashb

#58

high

TokenManager - Unlimited withdraw

high

Taker of bid offer will loss assets without any benefit if he calls the DeliveryPlace::settleAskMaker() for partial settlement.

high

Native token withdrawal fails until manually approved

high

`DeliveryPlace::settleAskTaker` Has Incorrect Access Control

high

Formulaic Error Rounds Down Causing Total Loss Of Funds For Bid Takers During Abort

high

Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode

high

The `DeliveryPlace::settleAskTaker()` function mistakenly uses `makerInfo.tokenAddress` to update the `TokenBalanceType.PointToken` in the `userTokenBalanceMap` mapping, leading to a critical error.

high

Token withdrawal fails until someone manually approves spending

low

The referral bonus can't be split correctly between the referrer and the authority referral

Jul '24

CCIP v1.5

341.63 USDC • CodeHawks • itsabinashb

#12

Jun '24

Intuition

200 USDC • 1 total finding • Hats • 0xAbinash

medium

`_createTriple()` logic do not follow the intended design mentioned in documentation

May '24

Munchables

0.01 USDC • 1 total finding • Code4rena • itsabinashb

#16

high

Invalid validation allows users to unlock early

Apr '24

NOYA

3.36 USDC + NOYA stars • 2 total findings • Code4rena • itsabinashb

#107

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

medium

Withdrawals in AccountManager are prone to DOS attacks.

DYAD

16.53 USDC • 6 total findings • Code4rena • itsabinashb

#85

high

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

high

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

medium

Value of kerosene can be manipulated to force liquidate users

medium

Incorrect deployment / missing contract will break functionality