https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/49ad5e06-d302-47e3-8dc5-11d0730ea783.jpg

IvanFitro

Security Researcher

Sherlock Profile: https://t.co/kUHWV16bFC Audit Portfolio: https://t.co/b7wr9h1b5B Projects https://t.co/kENHrxYoRX💡

Contact Me

High

9

Total

Medium

4

Total

$2.99K

Total Earnings

#899 All Time

15x

Payouts

silver

1x

2nd Places

regular

5x

Top 10

regular

10x

Top 25

All

Sherlock

Mar '25

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

70.13 USDC • Sherlock • IvanFitro

#16

Feb '25

Usual Labs

Usual Labs

864.84 USDC • Sherlock • IvanFitro

#14

Rova

Rova

1,178.25 USDC • 1 total finding • Sherlock • IvanFitro

silver

medium

Launch.sol :: updateParticipation() uses `refundCurrencyAmount` instead of `request.tokenAmount` to update the user's position, leading to incorrect accounting.

Jan '25

Aave v3.3

Aave v3.3

45.22 USDC • Sherlock • IvanFitro

#94

Dec '24

Tally ARB Staker

Tally ARB Staker

30.29 USDC • Sherlock • IvanFitro

#32

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

0.48 OP • 2 total findings • Sherlock • IvanFitro

#60

high

AutomationMaster.sol :: generateOrderId() can produce the same orderId for different orders.

high

OracleLess.sol :: cancelOrder() users can steal funds from the contract by first canceling an order and then modifying it.

Nov '24

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

17.87 USDC • Sherlock • IvanFitro

#52

Superfluid Locker System

Superfluid Locker System

121.22 USDC • 1 total finding • Sherlock • IvanFitro

#4

high

FluidLocker.sol :: _getUnlockingPercentage() always returns the same percentage, regardless of the unlockPeriod, causing users with longer unlock periods to pay the same amount of taxes as those with shorter periods.

Telcoin Update #2

Telcoin Update #2

5.98 USDC • Sherlock • IvanFitro

#47

Oct '24

Ethos Network Social Contracts

Ethos Network Social Contracts

45.37 USDC • 1 total finding • Sherlock • IvanFitro

#6

medium

EthosAttestation.sol :: archiveAttestation()/restoreAttestation() deleted addresses from the profile can still archive and restore attestations.

Sep '24

Boost Core Incentive Protocol

Boost Core Incentive Protocol

32.19 USDC • 2 total findings • Sherlock • IvanFitro

#21

high

clawback() cannot be called, preventing the owner from withdrawing the funds from the contract.

medium

ManagedBudget.sol :: allocate() will always revert when using Fee-on-Transfer (FoT) tokens.

Aug '24

Winnables Raffles

Winnables Raffles

31.84 USDC • 2 total findings • Sherlock • IvanFitro

#23

high

WinnablesTicketManager.sol :: withdrawETH() if a raffle is canceled and refundPlayers() is called, not all the funds from the next ticket sales can be withdrawn, resulting in some of the funds being permanently stuck in the contract.

medium

WinnablesPrizeManager.sol :: withdrawToken() if the raffle token is LINK, it can be stolen, resulting in the winner receiving nothing and the admin collecting the profits from ticket sales without any cost.

Apr '24

Teller Finance

Teller Finance

88.45 USDC • 1 total finding • Sherlock • IvanFitro

#25

high

LenderCommitmentGroup_Smart :: burnSharesToWithdrawEarnings() If a malicious lender burns their shares sequentially in small amounts can extract extra rewards at the expense of other lenders.

Jan '24

Telcoin Platform Audit

Telcoin Platform Audit

371.15 USDC • 2 total findings • Sherlock • IvanFitro

#6

high

StakingRewardsManager.sol :: topUp() The tokens to fund the staking contracts are sended to an incorrect contracts.

high

CouncilMember.sol :: Burning a NFT impossibilities minting new NFTs (DOS).

Truflation

Truflation

90.28 USDC • 1 total finding • Sherlock • IvanFitro

#9

high

TrufVesting.sol :: claim() In the initialReleasePeriod an attacker can steal all the funds from the contract.