https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/d7c03117-552f-41c2-afc3-0bee7e1a2fe3.jpg

Kodyvim

Security Researcher

Information Security Engineer, Bug Hunter @ #Hackerone | whitehat @Immunefi | CTF player | currently into web3 security. |

Contact Me

High

30

Total

Medium

29

Total

$15.57K

Total Earnings

#412 All Time

44x

Payouts

regular

4x

Top 10

regular

18x

Top 25

regular

28x

Top 50

All

Sherlock

Code4rena

Cantina

CodeHawks

Mar '25

Crestal Network

Crestal Network

0.01 USDC • 1 total finding • Sherlock • Kodyvim

#12

high

payWithERC20 would be used to drain contracts token approvals

Feb '25

SEDA Protocol

SEDA Protocol

36.49 USDC • 2 total findings • Sherlock • Kodyvim

#21

high

A single validators can reach consensus on `postBatch` by duplicating votes

medium

feeTransfer failing for any receiver would DoS `postResult` allowing the `requestor` to reclaim all fees through refund for request which has been served.

defi-app-contracts

defi-app-contracts

85.37 USDC • 1 total finding • Cantina • kodyvim

#24

medium

Finding not yet public.

Jan '25

daao-contracts

daao-contracts

61.32 USDC • 3 total findings • Cantina • kodyvim

#55

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

inclusive-monorepo

inclusive-monorepo

66.79 USDC • 2 total findings • Cantina • kodyvim

#12

high

Finding not yet public.

medium

Finding not yet public.

silo-contracts-v2

silo-contracts-v2

189.77 USDC • 1 total finding • Cantina • kodyvim

#18

high

Finding not yet public.

Dec '24

Flex Perpetuals

Flex Perpetuals

62.48 USDC • 1 total finding • Code4rena • kodyvim

#4

medium

Missing slippage protection in `AerodromeDexter.sol` `swapExactTokensForTokens()`

Lambo.win

Lambo.win

0.3 USDC • 1 total finding • Code4rena • kodyvim

#35

medium

Since the cost of launching a new pool is minimal, an attacker can maliciously consume VirtualTokens.

Oct '24

Dria

Dria

0.87 USDC • 1 total finding • CodeHawks • kodyvim

#70

medium

Users can list assets with price < 1 ERC20 (ETH, WETH), leading to potential DoS vulnerability.

Aug '24

Tadle

Tadle

0.00 USDC • 1 total finding • CodeHawks • kodyvim

#177

high

TokenManager - Unlimited withdraw

Jul '24

TraitForge

TraitForge

0 USDC • 1 total finding • Code4rena • kodyvim

#89

medium

Pause and unpause functions are inaccessible

Zaros Part 1

Zaros Part 1

17.17 USDC • 1 total finding • CodeHawks • kodyvim

#80

medium

Insufficient checks to confirm the correct status of the sequencerUptimeFeed

May '24

Predy

Predy

55.26 USDC • 2 total findings • Code4rena • kodyvim

#25

medium

incorrect price for negative ticks due to lack of rounding down

medium

Liquidity manipulation is possible when trading

Mar '24

Revert Lend

Revert Lend

737.08 USDC • 1 total finding • Code4rena • kodyvim

#18

high

`_getReferencePoolPriceX96()` will show incorrect price for negative tick deltas in current implementation cause it doesn't round up for them

Feb '24

curvance

curvance

838.12 USDC • 1 total finding • Cantina • kodyvim

#33

medium

Finding not yet public.

arcadexyz/arcade-protocol

arcadexyz/arcade-protocol

7,439.92 USDC • 1 total finding • Cantina • kodyvim

#4

medium

Finding not yet public.

opal-contracts

opal-contracts

66.52 USDC • 1 total finding • Cantina • kodyvim

#32

high

Finding not yet public.

Jan '24

MorpheusAI

MorpheusAI

2.82 USDC • 1 total finding • CodeHawks • kodyvim

#27

low

Any User can mint any amount of WStETH in the WStETHMock.sol and StETHMock.sol

Decent

Decent

0.09 USDC • 1 total finding • Code4rena • kodyvim

#56

high

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

Opus

Opus

1,143.11 USDC • Code4rena • kodyvim

#11

Curves

Curves

1.11 USDC • 3 total findings • Code4rena • kodyvim

#128

high

Unauthorized Access to setCurves Function

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

medium

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

SYMM IO

SYMM IO

0.00 USDC • Sherlock • Kodyvim

#42

Dec '23

The Standard

The Standard

161.24 USDC • 2 total findings • CodeHawks • kodyvim

#16

medium

Missing deadline check allow pending transactions to be maliciously executed

medium

No incentive to liquidate small positions could result in protocol going underwater

Footium Update

Footium Update

0.14 USDC • Sherlock • Kodyvim

#41

Oct '23

The Wildcat Protocol

The Wildcat Protocol

19.85 USDC • 3 total findings • Code4rena • kodyvim

#57

high

Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want

high

Borrower has no way to update `maxTotalSupply` of `market` or close market.

high

Borrower can drain all funds of a sanctioned lender

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

455.94 USDC • 3 total findings • Code4rena • kodyvim

#19

high

All tokens can be stolen from `VirtualAccount` due to missing access modifier

medium

Incorrect flag results to _hasFallbackToggled always set to false on createMultipleSettlement.

medium

Message channels can be blocked resulting in DoS

Allo V2

Allo V2

1.13 USDC • 2 total findings • Sherlock • Kodyvim

#70

high

Missing adjustments on `allocator.voiceCredits` allows bypassing `maxVoiceCreditsPerAllocator`

medium

Fee on Transfer tokens are incorrectly accounted in `_fundPool`

Delegate

Delegate

40.13 USDC • Code4rena • kodyvim

#9

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

124.35 USDC • Code4rena • kodyvim

#50

Dopex

Dopex

200.62 USDC • 3 total findings • Code4rena • kodyvim

#57

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

high

`UniV3LiquidityAMO::recoverERC721` will cause `ERC721` tokens to be permanently locked in `rdpxV2Core`

Sparkn

Sparkn

0.00 USDC • 1 total finding • CodeHawks • kodyvim

#93

low

If a winner is blacklisted on any of the tokens they can't receive their funds

Arbitrum Security Council Election System

Arbitrum Security Council Election System

85.11 USDC • Code4rena • kodyvim

#17

Tangible Caviar

Tangible Caviar

0 USDC • Code4rena • kodyvim

#88

Jul '23

Moonwell

Moonwell

655.37 USDC • 3 total findings • Code4rena • kodyvim

#16

medium

Proposals which intend to send native tokens to target addresses can't be executed

medium

missing check for the max/min price in the `chainlinkOracle.sol` contract

medium

accrueInterest is expected to revert when the rate is higher than the maximum allowed rate, which is possible since the utilization can be more than 1

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

0.00 USDC • 1 total finding • CodeHawks • kodyvim

#96

low

Constructor of `Escrow` should make sure that `buyer`, `seller`, `arbiter` are different from each other.

Tapioca DAO

Tapioca DAO

404.77 USDC • 3 total findings • Code4rena • kodyvim

#58

high

Reentrancy in `USDO.flashLoan()`, enabling an attacker to borrow unlimited USDO exceeding the max borrow limit

high

TOFT and USDO Modules Can Be Selfdestructed

medium

all deposit and withdraw function in Convex and Curve nativeLP Strategy, apply slippage on internal pricing; which call real-time on chain price from Curve directly and subject to MEV

Dinari

Dinari

88.51 USDC • 1 total finding • Sherlock • Kodyvim

#9

medium

Cancelled order should not send tokens to recipient.

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

2,273.09 USDC • 4 total findings • Code4rena • kodyvim

#25

high

Removing a BribeFlywheel from a Gauge does not remove the reward asset from the rewards depo, making it impossible to add a new Flywheel with the same reward token

high

Missing unwrapping of native token in RootBridgeAgent.sweep() causes fees to be stuck

high

Multiple issues with decimal scaling will cause incorrect accounting of hTokens and underlying tokens

medium

deposit gas through depositGasAnycallConfig should not withdraw the nativeToken

Iron Bank

Iron Bank

0.03 USDC • 2 total findings • Sherlock • Kodyvim

#23

medium

Missing check for stale/incorrect price from chainlink pricefeed.

medium

No checks if Arbitrum sequencer is down in Chainlink feeds

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

0.44 USDC • 5 total findings • Sherlock • Kodyvim

#84

high

WBTC uses wrong pricefeed

high

Missing access control on `mintRebalancer` and `burnRebalancer`

high

using spot price could lead to price manipulation.

high

Lack of slippage protection

medium

Missing check for stale/incorrect price from chainlink pricefeed.

Venus Protocol Isolated Pools

Venus Protocol Isolated Pools

56.63 USDC • Code4rena • kodyvim

#42

Ajna Protocol

Ajna Protocol

70.26 USDC • 1 total finding • Code4rena • kodyvim

#44

high

Position NFT can be spammed with insignificant positions by anyone until rewards DoS

Apr '23

Frankencoin

Frankencoin

22.67 USDC • 1 total finding • Code4rena • kodyvim

#65

medium

function `restructureCapTable()` in Equity.sol not functioning as expected

Feb '23

Ethos Reserve contest

Ethos Reserve contest

103.33 USDC • Code4rena • kodyvim

#32