https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/10d4ef0d-c779-47d5-965f-fa9de65e1471.png

KiroBrejka

Security Researcher

X -> 0xBugSlayer Trying to make web3 a safe place

Contact Me

High

16

Total

Medium

15

Total

$3.79K

Total Earnings

#828 All Time

20x

Payouts

bronze

1x

3rd Places

regular

3x

Top 10

regular

6x

Top 25

All

Sherlock

Code4rena

CodeHawks

Mar '25

Crestal Network

Crestal Network

2.37 USDC • 1 total finding • Sherlock • KiroBrejka

#11

medium

User can override the `deployWorkerAddr` and not submit a deployment proof

Feb '25

Liquidity Management

Liquidity Management

13.08 usdc • 2 total findings • CodeHawks • kirobrejka

#51

low

Incorrect Token Price Validation in KeeperProxy

low

Protocol Recovery Mechanism at Risk Due to Unhandled Token Transfer Failures

Jan '25

Plaza Finance

Plaza Finance

24.16 USDC • 4 total findings • Sherlock • KiroBrejka

#61

medium

WSTETH is not supported by the protocol

medium

User can always inflate the `totalSellReserveAmount` variable to block the auction from being ended

medium

USDC blacklist may be a problem in Auction

medium

Precision loss in `Pool::getRedeemAmount` will result in users redeeming less collateral than they should

Aave v3.3

Aave v3.3

657.87 USDC • Sherlock • KiroBrejka

#35

Dec '24

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

4.47 OP • 2 total findings • Sherlock • KiroBrejka

#34

high

User can cancel his order and then call modify order to get even more funds

medium

User can brick the `Bracket` contract by inputing malicious `txData`

Nov '24

Debita Finance V3

Debita Finance V3

1,109.47 USDC • 4 total findings • Sherlock • KiroBrejka

#8

high

NFT buyer will never receive his receipt NFT after `buyOrder::sellNFT` function

high

Nobody can buy the `TaxTokenReceipt` NFT from auction

high

`BuyOrder` is not compliant with `TaxTokenReceipt`

medium

Malicious seller of receipt token is able to control the corresponding veNFT after a sell

Telcoin Update #2

Telcoin Update #2

0.01 USDC • Sherlock • KiroBrejka

#57

Oct '24

Dria

Dria

0.32 USDC • 1 total finding • CodeHawks • kirobrejka

#72

high

Subtraction in `variance()` will revert due to underflow

predict.fun lending market

predict.fun lending market

421.53 USDC • 1 total finding • Sherlock • KiroBrejka

#5

medium

`hashProposal` is not compliant with EIP-712

Aug '24

Rumpel Point Tokenization Protocol

Rumpel Point Tokenization Protocol

0.02 USDC • Sherlock • KiroBrejka

#39

Phi

Phi

15.83 USDC • 1 total finding • Code4rena • 0xBugSlayer

#42

medium

Incorrect Fee Handling Prevents Protocol from Updating Fees

Jul '24

LoopFi

LoopFi

87.29 USDC • 4 total findings • Code4rena • 0xBugSlayer

#39

high

Availability of deposit invariant can be bypassed

high

AuraVault inherits AccessControl BUT does not call the _setupRole() function in it's constructor to set the initial roles, this leads to a complete DOS of the important claim function rendering the contract unable to claim rewards

medium

Incorrect calculation of `newCumulativeIndex` in function `calcDecrease`

medium

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

0.08 USDC • 1 total finding • Sherlock • KiroBrejka

#64

medium

Absence of deflationary rebasing tokens protection in `BaseRewarder`

Jun '24

Size

Size

0.05 USDC • 1 total finding • Code4rena • 0xBugSlayer

#62

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

May '24

Olas

Olas

51.57 USDC • 1 total finding • Code4rena • 0xBugSlayer

#14

medium

StakingToken.sol doesn't properly handle FOT, rebasing tokens or those with variable which will lead to accounting issues downstream.

LoopFi

LoopFi

386.08 USDC • 4 total findings • Code4rena • 0xBugSlayer

bronze

high

Availability of deposit invariant can be bypassed

high

AuraVault inherits AccessControl BUT does not call the _setupRole() function in it's constructor to set the initial roles, this leads to a complete DOS of the important claim function rendering the contract unable to claim rewards

medium

Incorrect calculation of `newCumulativeIndex` in function `calcDecrease`

medium

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

Apr '24

NOYA

NOYA

0.02 USDC + NOYA stars • 1 total finding • Code4rena • 0xBugSlayer

#122

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

Mar '24

Axis Finance

Axis Finance

998.85 USDC • 3 total findings • Sherlock • KiroBrejka

#13

high

[M-1]

high

[H-2]

high

[H-3]

Revert Lend

Revert Lend

17.32 USDC • 1 total finding • Code4rena • 0xBugSlayer

#67

high

Owner of a position can prevent liquidation due to the 'onERC721Received' callback

Jan '24

Decent

Decent

0.12 USDC • 1 total finding • Code4rena • 0xBugSlayer

#55

high

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.