Banner
https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/271b8087-df78-4aa2-be8b-c17b514eb15a.jpg

KupiaSec

Security Researcher

We Secure Web3 πŸ“† Request an audit on our website: https://t.co/34qoEZlpgd

Contact Me

High

168

Total

Medium

7

Solo

176

Total

$290.65K

Total Earnings

#33 All Time

95x

Payouts

gold

7x

1st Places

silver

9x

2nd Places

bronze

13x

3rd Places

All

Sherlock

Blackthorn

Code4rena

Cantina

Jun '25

Chronicle

Chronicle

Collaborative Audit β€’ Sherlock β€’ KupiaSec

May '25

poof.new Audit - May 28th

poof.new Audit - May 28th

Collaborative Audit β€’ Sherlock β€’ KupiaSec

mystic-monorepo

mystic-monorepo

1,056.99 USDC β€’ 16 total findings β€’ Cantina β€’ KupiaSec

silver

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

RootsFi - BGT Derivative Issuance

RootsFi - BGT Derivative Issuance

Collaborative Audit β€’ Sherlock β€’ KupiaSec

Apr '25

Lazy Bear

Lazy Bear

Collaborative Audit β€’ Sherlock β€’ KupiaSec

Kinetiq

Kinetiq

2,595.63 USDC β€’ 4 total findings β€’ Code4rena β€’ KupiaSec

bronze

high

Users Who Queue Withdrawal Before A Slashing Event Disadvantage Users Who Queue After And Eventually Leads To Loss Of Funds For Them

high

Buffer Silently Locks Staked HYPE in Contract Without Using Them For Withdrawals Or Providing A Way To Be Pulled Out Or Moved To L1

medium

Incorrect Balance Check in Validator Redelegation Process May Block Legitimate Rebalancing Operations

medium

Processing all withdrawals before all deposits can cause some deposit to not be delegated in `processL1Operations`

infinifi-protocol

infinifi-protocol

6,337.13 USDC β€’ 3 total findings β€’ Cantina β€’ KupiaSec

gold

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

liquidity-book-vaults

liquidity-book-vaults

88.78 USDC β€’ 6 total findings β€’ Cantina β€’ KupiaSec

#30

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Mar '25

Jigsaw

Jigsaw

Collaborative Audit β€’ Sherlock β€’ KupiaSec

Feb '25

THORWallet

THORWallet

346.49 USDC β€’ 2 total findings β€’ Code4rena β€’ KupiaSec

bronze

high

The user can send tokens to any address by using two bridge transfers, even when transfers are restricted.

medium

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

velvet-v4

velvet-v4

10,702.06 USDC β€’ 8 total findings β€’ Cantina β€’ KupiaSec

silver

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Jan '25

Next Generation

Next Generation

5,719.42 USDC β€’ 1 total finding β€’ Code4rena β€’ KupiaSec

silver

medium

Approve operation is not overridden to call transferSanity, thus its allowed to approve blacklisted accounts, which breaks protocol invariant

Liquid Ron

Liquid Ron

3,025.05 USDC β€’ 2 total findings β€’ Code4rena β€’ KupiaSec

#5

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

medium

User can earn rewards by frontrunning the new rewards accumulation in Ron staking without actually delegating his tokens

IQ AI

IQ AI

243.25 USDC β€’ 1 total finding β€’ Code4rena β€’ KupiaSec

#13

high

Adversary can win proposals with voting power as low as 4%

daao-contracts

daao-contracts

63.57 USDC β€’ 4 total findings β€’ Cantina β€’ KupiaSec

#52

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

napier-v2

napier-v2

2,592.28 USDC β€’ 1 total finding β€’ Cantina β€’ KupiaSec

bronze

medium

Finding not yet public.

doppler-contracts

doppler-contracts

7,408.02 USDC β€’ 5 total findings β€’ Cantina β€’ KupiaSec

bronze

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

inclusive-monorepo

inclusive-monorepo

10,984.57 USDC β€’ 44 total findings β€’ Cantina β€’ KupiaSec

gold

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

infrared-contracts

infrared-contracts

2,547.06 USDC β€’ 1 total finding β€’ Cantina β€’ KupiaSec

#19

medium

Finding not yet public.

Plaza Finance

Plaza Finance

2,415.04 USDC β€’ 8 total findings β€’ Sherlock β€’ KupiaSec

#4

high

Users can redeem more than permitted by manipulating the `collateralLevel` from `< 120%` to `> 120%` through donations.

high

`LeverageToken` holders can drain the pool.

high

`COLLATERAL_THRESHOLD` should be set to `125%` instead of `120%`.

high

When Creating and Redeeming, the Protocol Fee is Not Updated

high

`BalancerRouter.joinBalancerPool()` Doesn't Refund Remaining Tokens

high

When Redeeming `LeverageToken`, the Redemption Price is Unfairly Compared with `BondToken`'s Market Price

medium

Once the total supply of `LeverageToken` reaches 0, it will never be minted again.

medium

`Pool.getRedeemAmount()` Could Revert Due to Integer Underflow

farcasterattestation-monorepo

farcasterattestation-monorepo

1,009.06 OP β€’ 3 total findings β€’ Cantina β€’ KupiaSec

#20

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Pump Science

Pump Science

147.37 USDC β€’ Code4rena β€’ KupiaSec

#8

hmx-orderbook

hmx-orderbook

1,931.42 USDC β€’ 2 total findings β€’ Cantina β€’ KupiaSec

#4

medium

Finding not yet public.

medium

Finding not yet public.

FlatMoney v2 Update

FlatMoney v2 Update

11,380.86 USDC β€’ Sherlock β€’ KupiaSec

gold

Findings not publicly available for private contests.

Dec '24

GMX Solana

GMX Solana

Collaborative Audit β€’ Blackthorn β€’ KupiaSec

Rain Solana

Rain Solana

Collaborative Audit β€’ Sherlock β€’ KupiaSec

Idle Finance Credit Vaults

Idle Finance Credit Vaults

1,142.76 USDC β€’ Sherlock β€’ KupiaSec

#5

Findings not publicly available for private contests.

SecondSwap

SecondSwap

3,836.65 USDC β€’ 8 total findings β€’ Code4rena β€’ KupiaSec

silver

high

In `transferVesting`, the `grantorVesting.releaseRate` is calculated incorrectly, which leads to the sender being able to unlock more tokens than were initially locked.

high

Users can claim more that their actual allotment

high

`SecondSwap_Marketplace` vesting listing order affects how much the vesting buyers can claim at a given step

medium

Incorrect referral fee calculations

medium

Incorrect listing type validation bypasses enforcement of minimum purchase amount

medium

Price Granularity Limited by Payment Token Decimals: Cannot List Tokens Cheaper than 0.000001 USDT

medium

`buyFee` And `sellFee` Should Be Known Before Purchase

medium

Underflow in `claimable` DOSing `claim` Function

Numa

Numa

5,885.71 USDC β€’ 3 total findings β€’ Sherlock β€’ KupiaSec

#4

high

Inflation Attack via Donations.

medium

Before transferring `CToken`, the `accrueInterest()` function should be called first.

medium

The `CNumaToken.leverageStrategy()` function reverts due to an improper check of the `principal` borrow amount.

Teller Lender Groups Update Audit

Teller Lender Groups Update Audit

3,132.57 USDC β€’ 3 total findings β€’ Sherlock β€’ KupiaSec

bronze

high

Title: Incorrect implementation of `LenderCommitmentGroupShares._afterTokenTransfer()` may lead to DoS of `LenderCommitmentGroup_Smart`

medium

Users can lower the interest rate by dividing a loan into multiple smaller loans

medium

The `totalPrincipalTokensRepaid` and `totalInterestCollected` may not be updated even when funds are already transferred

Lambo.win

Lambo.win

145.58 USDC β€’ 3 total findings β€’ Code4rena β€’ KupiaSec

#21

high

Minting zero tokens when underlyingToken is not Ether in cashIn()

medium

`LamboRebalanceOnUniswap::_getTokenInOut` formula used to compute rebalancing amount is wrong for a UniV3 pool

medium

`sellQuote` and `buyQuote` are missing deadline check in `LamboVEthRouter`

bima-money

bima-money

5,005.96 USDC β€’ 1 total finding β€’ Cantina β€’ KupiaSec

#9

medium

Finding not yet public.

Nov '24

Extra Finance

Extra Finance

2,241.77 OP β€’ Sherlock β€’ KupiaSec

silver

Findings not publicly available for private contests.

RuneMine by Mine Labs’

RuneMine by Mine Labs’

8,408.04 USDC β€’ Sherlock β€’ KupiaSec

silver

Findings not publicly available for private contests.

Chiliz Chain System Contracts

Chiliz Chain System Contracts

3,227.19 USDC β€’ Sherlock β€’ KupiaSec

bronze

Findings not publicly available for private contests.

Debita Finance V3

Debita Finance V3

1,153.45 USDC β€’ 1 total finding β€’ Sherlock β€’ KupiaSec

#7

medium

The `MixOracle.getThePrice` function calculates the price incorrectly using the `TarotOracle.getResult` function as the TWAP price

Oct '24

Usual V1

Usual V1

4,367.29 USDC β€’ 2 total findings β€’ Sherlock β€’ KupiaSec

gold

high

The fee mechanisms for withdrawals and redemptions differ in the `UsualX` contract

high

Rewards are not updated for the removed allocations in the UsualSP.removeOriginalAllocation() function

AXION

AXION

547.04 USDC β€’ 3 total findings β€’ Sherlock β€’ KupiaSec

#7

high

The protocol can't collect reward tokens from the gauges of Velodrome and Aerodrome

medium

The `V2AMO._mintAndSellBoost()` function does not work with Velodrome and Aerodrome

medium

The `MasterAMO.initialize()` function should have the `onlyInitializing` modifier

Avantis v1.5: Cross-Asset Leverage

Avantis v1.5: Cross-Asset Leverage

5,557.91 OP β€’ Sherlock β€’ KupiaSec

#5

Findings not publicly available for private contests.

Sep '24

redstone-oracle

redstone-oracle

3,344.66 USDC β€’ 1 total finding β€’ Cantina β€’ KupiaSec

#7

medium

Finding not yet public.

Royco Protocol

Royco Protocol

150.4 USDC β€’ 5 total findings β€’ Cantina β€’ KupiaSec

#33

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Boost Core Incentive Protocol

Boost Core Incentive Protocol

32.19 USDC β€’ 2 total findings β€’ Sherlock β€’ KupiaSec

#21

high

The `BoostCore` contract lacks the ability to call certain functions of the incentive contracts, such as `clawback()` and `drawRaffle()`

medium

`DoS` when creating boosts with `fee-on-transfer` tokens

Aug '24

Velar Artha PerpDEX

Velar Artha PerpDEX

8,489.20 USDC β€’ 5 total findings β€’ Sherlock β€’ KupiaSec

bronze

high

The `api.burn` function should have cool down period

medium

The protocol should consider the variance of quote tokens' price

medium

Invalid Redstone oracle payload size prevents the protocol from working properly

medium

Protocol incompatibility with smart contract wallets

medium

Not decreasing oracle timestamp validation leads to DoS for protocol users

Cork Protocol

Cork Protocol

1,743.19 USDC β€’ 6 total findings β€’ Sherlock β€’ KupiaSec

#6

high

Incorrect `psmRa` in the `VaultLib._liquidatedLp()` function

high

The `DsFlashSwap.emptyReserve()` function incorrectly always returns 0

high

The `PsmLib.repurchase()` function doesn't increase the locked amount of `RA`

high

The `PsmLib.lvRedeemRaWithCtDs()` function doesn't decrease the locked amount of `RA`

high

The `FlashSwapRouter` mistakenly transfers certain `RA` tokens to `DS` buyers, resulting in financial losses for `lv` holders

medium

Incorrect implementation of the modifier `LVDepositNotPaused()`

Phi

Phi

9.65 USDC β€’ 3 total findings β€’ Code4rena β€’ KupiaSec

#45

high

Reentrancy Vulnerability Allows Bypass of Cooldown, Leading to Unfair Reward Extraction Through Flash Loan

high

Exposed `_removeCredIdPerAddress` & `_addCredIdPerAddress` allows anyone to cause issues to current holders as well as upcoming ones

medium

Refunds sent to incorrect addresses in certain cases

ZeroLend One

ZeroLend One

149.60 USDC β€’ 5 total findings β€’ Sherlock β€’ KupiaSec

#33

high

`executeLiquidationCall` utilizes wrong debt and collateral balance, disrupting whole liquidation process

high

`_repayDebtTokens` wrongly sets `vars.debtReserveCache.nextDebtShares` to incorrect value, leading to false `liquidityRate`, `borrowRate`

high

Wrong calculation of supply/debt balance of a position, disrupting core system functionalities

high

Incorrect deduction of `accruedToTreasuryShares` from totalSupply, causing loss of shares

medium

The `CuratedVault.reallocate` function will fail when `allocation.assets == uint256.max`, even though this scenario is possible

zetachain-protocol

zetachain-protocol

115.03 USDC β€’ 2 total findings β€’ Cantina β€’ KupiaSec

#58

medium

Finding not yet public.

medium

Finding not yet public.

Sentiment V2

Sentiment V2

118.15 USDC β€’ 2 total findings β€’ Sherlock β€’ KupiaSec

#30

medium

The `SuperPool.reallocate()` function uses `approve` instead of `forceApprove`, which could lead to a revert

medium

The `SuperPool._supplyToPools()` function only considers the state variable `poolCapFor` for the `SuperPool`'s `poolId`s, not the `poolCap` for the `Pool`'s `poolId`s

Axelar Network

Axelar Network

0 USDC β€’ Code4rena β€’ KupiaSec

#9

Jul '24

Basin

Basin

8.44 USDC β€’ 1 total finding β€’ Code4rena β€’ KupiaSec

#11

high

Incorrectly assigned `decimal1` parameter upon decoding

TraitForge

TraitForge

1,558.63 USDC β€’ 13 total findings β€’ Code4rena β€’ KupiaSec

bronze

high

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

high

The maximum number of generations is infinite

high

Number of entities in generation can surpass the 10k number

high

Wrong minting logic based on total token count across generations

medium

Lack of Slippage Protection in Dynamic Pricing Mint Function

medium

Funds can be locked indefinitely in NukeFund.sol

medium

Incorrect `isApprovedForAll` check in the `NukeFund.nuke()` function.

medium

There is no slippage check in the `nuke()` function.

medium

Forger Entities can forge more times than intended

medium

Pause and unpause functions are inaccessible

medium

NFTs mature too slowly under default settings.

medium

Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`

medium

Incorrect check against golden entropy value in the first two batches

Exactly Protocol Update - Staking Contract

Exactly Protocol Update - Staking Contract

673.66 USDC β€’ 3 total findings β€’ Sherlock β€’ KupiaSec

silver

medium

A malicious attacker can make significant amount of reward token to be locked in `StakedEXA` by calling `harvest()` frequently

medium

Anyone could call `harvest()` to extend the period finish time

medium

In periods where `totalSupply = 0`, rewards will be locked forever in `StakeEXA` contract

Karak Restaking

Karak Restaking

21,737.29 USDC β€’ 5 total findings β€’ Code4rena β€’ KupiaSec

gold

high

Slashing NativeVault will lead to locked ETH for the users

high

A `DoS` on snapshots due to a rounding error in calculations.

high

Violation of Invariant Allowing DSSs to Slash Unregistered Operators

medium

Delayed Slashing Window and Lack of Transparency for Pending Slashes Could Lead to Loss of Funds

medium

A snapshot may face a permanent DoS if both a slashing event occurs in the NativeVault and the staker's validator is penalized.

Optimism Superchain

Optimism Superchain

5,412.07 OP β€’ 1 total finding β€’ Code4rena β€’ KupiaSec

#10

medium

`MIPS` - Incorrect implementation of SRAV instruction

Super Boring

Super Boring

2,020.19 USDC β€’ Sherlock β€’ KupiaSec

bronze

Findings not publicly available for private contests.

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

1,733.46 USDC β€’ 10 total findings β€’ Sherlock β€’ KupiaSec

bronze

high

Improper `msg.sender` check in the `BribeRewarder._modify()` function

high

In the `Voter.vote()` function, `lockDuration` is used incorrectly instead of the remaining time

high

Pending rewards need to be processed when `BribeRewarder.Deposit()` is called

high

`BribeRewarder` has no sweeping mechanism

high

Incorrect looping in the `BribeRewarder.claim()` function

medium

The bribe reward mechanism is susceptible to exploitation by attackers

medium

The `MlumStaking._requireOnlyOperatorOrOwnerOf()` function always returns `true`

medium

The `MlumStaking.addToPosition()` function can be called even during the `emergencyUnlock` situation

medium

Unclaimed rewards from the `emergencyWithdraw()` function remain permanently locked in the `MlumStaking` contract

medium

The `BribeRewarder.fundAndBribe()` function will be reverted when using `fee-on-transfer` tokens

Deepr

Deepr

2,024.35 USDC β€’ Sherlock β€’ KupiaSec

bronze

Findings not publicly available for private contests.

Velocimeter

Velocimeter

222.18 USDC β€’ 2 total findings β€’ Sherlock β€’ KupiaSec

#35

high

Loss of funds when gauge is paused

high

Vulnerability in `OptionTokenV4::exerciseLp` Function Enabling Malicious Lock Manipulation

Jun '24

Orderly Network

Orderly Network

13,540.47 USDC β€’ Sherlock β€’ KupiaSec

gold

Findings not publicly available for private contests.

Vultisig

Vultisig

219.39 USDC β€’ 2 total findings β€’ Code4rena β€’ KupiaSec

#16

high

Vultisig whitelisting can be bypassed by anyone

high

Most users won't be able to claim their share of Uniswap fees

Size

Size

29,203.33 USDC β€’ 10 total findings β€’ Code4rena β€’ KupiaSec

silver

high

Risk of Overpayment Due to Race Condition Between repay and liquidateWithReplacement Transactions

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

high

When `sellCreditMarket()` is called to sell credit for a specific cash amount, the protocol might receive a lower swapping fee than expected.

high

The collateral remainder cap is incorrectly calculated during liquidation

medium

Fragmentation fee is not taken if user compensates with newly created position

medium

`executeBuyCreditMarket` returns the wrong amount of cash and overestimates the amount that needs to be checked in the variable pool

medium

Sandwich attack on loan fulfillment will temporarily prevent users from accessing their borrowed funds

medium

Users can not to buy/sell minimum credit allowed due to exactAmountIn condition

medium

Multicall does not work as intended

medium

LiquidateWithReplacement does not charge swap fees on the borrower

Telcoin Wallet

Telcoin Wallet

9,200 USDC β€’ Sherlock β€’ KupiaSec

gold

Findings not publicly available for private contests.

dHEDGE

dHEDGE

1,369.37 USDC β€’ Sherlock β€’ KupiaSec

#8

Findings not publicly available for private contests.

May '24

Sophon Farming Contracts

Sophon Farming Contracts

16.89 USDC β€’ 1 total finding β€’ Sherlock β€’ KupiaSec

#5

medium

When the `startBlock` is reset, the `lastRewardBlock`s of the pools are not updated accordingly

Gamma - Locked Staking Contract

Gamma - Locked Staking Contract

133.81 USDC β€’ 1 total finding β€’ Sherlock β€’ KupiaSec

bronze

medium

MinOut check should be added into the `Lock.earlyExitById` function

Arrakis Valantis SOT Audit

Arrakis Valantis SOT Audit

1,853.22 USDC β€’ 1 total finding β€’ Sherlock β€’ KupiaSec

#4

high

Adding liquidity can be `DoS`ed due to calculation mismatches

Elfi

Elfi

610.78 USDC β€’ 7 total findings β€’ Sherlock β€’ KupiaSec

#8

high

The `AccountFacet.batchUpdateAccountToken()` function is missing a caller authorization check

high

The `PositionMarginProcess.updateAllPositionFromBalanceMargin()` function is passing an incorrect parameter to the `updatePositionFromBalanceMargin()` function call

high

When withdrawing funds, the `PositionMarginProcess.updatePositionFromBalanceMargin()` function may not operate correctly

high

The `PositionMarginProcess.updatePositionFromBalanceMargin()` function calculates the `changeAmount` after modifying the storage variable

medium

In the `AssetsProcess.deposit()` function, the user collateral cap check is performed using the outdated token amount, instead of the newly updated value

medium

The `AssetsProcess.withdraw()` function doesn't update the `CommonData`

medium

The `lossFee` is always 0 in the `GasProcess.processExecutionFee()` function

Napier Finance - LST/LRT Integrations

Napier Finance - LST/LRT Integrations

941.44 USDC β€’ 3 total findings β€’ Sherlock β€’ KupiaSec

#6

high

EETHAdapter.claimWithdrawal() uses a wrong condition and it doesn't work in most cases

medium

Potential Incompatibility Issue with `PufETHAdapter::_stake` Function

medium

MetapoolRouter.swapETHForYt() validates a wrong condition and this blocks intended workflow in most cases

Arbitrum BoLD

Arbitrum BoLD

0 USDC β€’ Code4rena β€’ KupiaSec

#10

safe-extensions

safe-extensions

87.5 USDC β€’ 1 total finding β€’ Cantina β€’ KupiaSec

#26

medium

Finding not yet public.

Apr '24

Renzo

Renzo

630.73 USDC β€’ 6 total findings β€’ Code4rena β€’ KupiaSec

#19

high

Incorrect withdraw queue balance in TVL calculation

high

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

high

ETH withdrawals from EigenLayer always fail due to `OperatorDelegator`'s nonReentrant `receive()`

high

Incorrect calculation of queued withdrawals can deflate TVL and increase ezETH mint rate

medium

Pending withdrawals prevent safe removal of collateral assets

medium

Deposits will always revert if the amount being deposited is less than the bufferToFill value

NOYA

NOYA

1,409.42 USDC + NOYA stars β€’ 14 total findings β€’ Code4rena β€’ KupiaSec

#10

high

Incomplete TVL Calculation in `AerodromeConnector::_getPositionTVL` Function.

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

high

`NoyaValueOracle.getValue` returns an incorrect price when a multi-token route is used

high

Base tokens like USDT, USDC having different decimals on different chains can have their TVL updated incorrectly

high

Numerous errors when calculating the TVL for the MorphoBlue connector

high

In Dolomite, when opening a borrow position, the holding position in the Registry will never be updated due to the removePosition flag being set to true

high

It is possible to open insolvent position is Silo connector, due to missing check in borrow function

medium

The modifier `onlyExistingRoute` works incorrectly

medium

Incorrect Return Value in `CompoundConnector.getBorrowBalanceInBase()` Affecting TVL Calculation

medium

`borrowAndSupply()` and `withdraw()` of `FraxConnector` should not be blocked when `maxLTV` of the Frax pair is 0

medium

Missing calls to `_updateTokenInRegistry` leads to incorrect state of tokens in registry

medium

Incorrect modifier condition

medium

Balancer flashloan contract can be DOSed completely by sending 1 wei to it

medium

Dust donation might DOS all connectors to create new holding positions, by preventing removing existing holding positions

Teller Finance

Teller Finance

470.53 USDC β€’ 8 total findings β€’ Sherlock β€’ KupiaSec

#11

high

A sandwich attack can potentially take most of the interest earned within the `LenderCommitmentGroup_Smart` contract

high

`_collateralAmount` is multiplied by `STANDARD_EXPANSION_FACTOR` unreasonably in the collateral check of the `LenderCommitmentGroup_Smart.acceptFundsForAcceptBid()` function.

high

The collateral tokens withdrawn `by liquidateDefaultedLoanWithIncentive()` will be frozen in the `LenderCommitmentGroup_Smart` contract.

high

The `LenderCommitmentGroup_Smart` contract cannot use USDT as its principal token, because `USDT.transfer()` does not return a boolean value.

medium

The interest rate model should be improved in the `LenderCommitmentGroup_Smart`.

medium

The newly added contracts will not work well on fee-on-transfer tokens, because there is no consideration for fee on transfer.

medium

`FlashRolloverLoan_G5` cannot work well with some LenderCommitForwarders including the `SmartCommitmentForwarder` contract.

medium

A user can borrow liquidity, even though `getPrincipalAmountAvailableToBorrow() < 0`.

TITLES Publishing Protocol

TITLES Publishing Protocol

220.71 USDC β€’ 8 total findings β€’ Sherlock β€’ KupiaSec

#17

high

Improper Reference in `FeeManager::_splitProtocolFee` Function

high

Incorrect Handling of Mint Fees in `Edition::mintBatch` Function

medium

Attackers can revert `TitlesGraph.acknowledgeEdge()` by front-running

medium

The function `TitlesGraph._setAcknowledged()` doesn't function properly due to its reliance on a memory variable

medium

Design Flaw in `Edition::_refundExcess` Function Implementation

medium

Improper handling of `msg.value` in the `Edition::mintBatch` function

medium

Lack of Functionality for Granting or Revoking Important Roles in the `Edition` Contract

medium

`Edition::transferWork` function doesn't change the receiver of the `_feeReceivers`

Exactly Protocol

Exactly Protocol

804.11 USDC β€’ 2 total findings β€’ Sherlock β€’ KupiaSec

#9

medium

The function `updateFloatingDebt` must be called before every update of the `floatingAssets`, `floatingDebt` and `floatingBackupBorrowed` variables.

medium

Anyone can allow others' assets to be used as collateral without approval of the asset owner because the `Market.borrow` function doesn't check if `assets > 0`

DYAD

DYAD

332.07 USDC β€’ 7 total findings β€’ Code4rena β€’ KupiaSec

#33

high

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

high

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

high

Missing enough exogeneous collateral check in `VaultManagerV2::liquidate` makes the liquidation revert even if (DYAD Minted > Non Kerosene Value)

high

User can get their Kerosene stuck because of an invalid check on withdraw

medium

Value of kerosene can be manipulated to force liquidate users

Zivoe

Zivoe

528.80 USDC β€’ 5 total findings β€’ Sherlock β€’ KupiaSec

#24

high

The depositors participating in the ITO may claim an airdrop amount different from the actual value

high

The `revokeVestingSchedule` function does not correctly track `_totalSupply`, `_totalSupplyCheckpoints` and `_checkpoints[account]`

high

A malicious attacker can make significant amount of reward token to be locked in `ZivoeRewards` by calling `depositReward()` frequently.

medium

The function `OCL_ZVE.pushToLockerMulti()` often results in a revert.

medium

Borrowers can circumvent fees by calling `OCC_Modular::callLoan` when the grace period exceeds the payment interval

Panoptic

Panoptic

8,159.28 USDC β€’ 2 total findings β€’ Code4rena β€’ KupiaSec

bronze

high

Partial transfers are still possible, leading to incorrect storage updates, and the calculated account premiums will be significantly different from what they should be

medium

Incorrect validation during checking liquidity spread

Mar '24

Seismic Finance

Seismic Finance

5,577.64 USDC β€’ Sherlock β€’ KupiaSec

silver

Findings not publicly available for private contests.

Revert Lend

Revert Lend

560.56 USDC β€’ 4 total findings β€’ Code4rena β€’ KupiaSec

#24

medium

`AutoExit` could receive a reward calculated from the entire position's fund even if `onlyFee` is true in `AutoExit.execute()`.

medium

Wrong global lending limit check in `_deposit` function

medium

Large decimal of referenceToken causes overflow at oracle price calculation

medium

Users can lend and borrow above allowed limitations

Feb '24

curvance

curvance

31,952.05 USDC β€’ 15 total findings β€’ Cantina β€’ KupiaSec

#5

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Rio Network

Rio Network

1,965.56 USDC β€’ 3 total findings β€’ Sherlock β€’ KupiaSec

#14

high

`currentEpochsByAsset` is not increased in `RioLRTWithdrawalQueue.queueCurrentEpochSettlement()`

high

The `allocation` of shares has to be deleted, if `old cap > 0 && new cap == 0` in `OperatorRegistryV1Admin.setOperatorStrategyCap()`.

medium

Depositing tokens to EigenLayer strategy reverts because of dust differences.

AI Arena

AI Arena

1.72 USDC β€’ 3 total findings β€’ Code4rena β€’ KupiaSec

#161

high

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

high

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

100x

100x

1,981.59 USDC β€’ Sherlock β€’ KupiaSec

#4

Findings not publicly available for private contests.

Jan '24

LooksRare YOLO

LooksRare YOLO

104.78 USDC β€’ 2 total findings β€’ Sherlock β€’ KupiaSec

#5

high

Attackers can win the round unfairly without dispositing ETH to the current round using `depositETHIntoMultipleRounds` function

medium

`MAXIMUM_NUMBER_OF_DEPOSITS_PER_ROUND` can be bypassed using `depositETHIntoMultipleRounds` function.

Salty.IO

Salty.IO

268.42 USDC β€’ 1 total finding β€’ Code4rena β€’ KupiaSec

#46

medium

When forming POL the DAO will end up stucked with DAI and USDS tokens that cannot handle.

Curves

Curves

6.73 USDC β€’ 6 total findings β€’ Code4rena β€’ KupiaSec

#87

high

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

high

Unauthorized Access to setCurves Function

medium

Protocol and referral fee would be permanently stuck in the Curves contract when selling a token

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

medium

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

reNFT

reNFT

875.96 USDC β€’ Code4rena β€’ KupiaSec

#15

Truflation

Truflation

90.28 USDC β€’ 1 total finding β€’ Sherlock β€’ KupiaSec

#9

high

An attacker can drain TRUF tokens after initial release period and before the cliff

Ubiquity

Ubiquity

1,866.60 USDC β€’ 1 total finding β€’ Sherlock β€’ KupiaSec

#6

medium

Incorrect implementation and usage of TWAP oracle affects Ubiquity Dollar price validation

Dec '23

Rain

Rain

Collaborative Audit β€’ Sherlock β€’ KupiaSec

Revolution Protocol

Revolution Protocol

202.63 USDC β€’ 6 total findings β€’ Code4rena β€’ KupiaSec

#33

high

Incorrect amounts of ETH are transferred to the DAO treasury in `ERC20TokenEmitter::buyToken()`, causing a value leak in every transaction

medium

Once EntropyRateBps is set too high, can lead to denial-of-service (DoS) due to an invalid ETH amount

medium

`ERC20TokenEmitter::buyToken` function mints more tokens to users than it should do

medium

Since buyToken function has no slippage checking, users can get less tokens than expected when they buy tokens directly

medium

The quorumVotes can be bypassed

medium

Bidder can use donations to get VerbsToken from auction that already ended.

Ethereum Credit Guild

Ethereum Credit Guild

3.05 USDC β€’ 1 total finding β€’ Code4rena β€’ KupiaSec

#87

high

Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss

Olympus RBS 2.0

Olympus RBS 2.0

3,280.32 USDC β€’ 2 total findings β€’ Sherlock β€’ KupiaSec

#5

medium

Price calculation can be manipulated by intentionally reverting some of price feeds.

medium

BunnySupply missing accumulated fees in Protocol Owned Liquidity(aka POL) calculation

Nov '23

Panoptic

Panoptic

1,122.43 USDC β€’ 2 total findings β€’ Code4rena β€’ KupiaSec

#12

high

Partial transfers are still possible, leading to incorrect storage updates, and the calculated account premiums will be significantly different from what they should be

medium

Incorrect validation during checking liquidity spread

core-and-erc1155a

core-and-erc1155a

282.99 USDC β€’ 1 total finding β€’ Cantina β€’ KupiaSec

#21

high

Finding not yet public.

Nouns Builder

Nouns Builder

1,078.57 USDC β€’ 2 total findings β€’ Sherlock β€’ KupiaSec

#5

high

The auction mechanism would be broken forever by a malicious highest bidder.

high

The first founder will lose 1% ownership if `reservedUntilTokenId >= 100`.

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

1.37 USDC β€’ 1 total finding β€’ Code4rena β€’ KupiaSec

#31

medium

No slippage protection for Market functions

GMX-Solana Blackthorn

GMX-Solana Blackthorn

Collaborative Audit β€’ Blackthorn β€’ KupiaSec

Oct '23

Party Protocol

Party Protocol

716.76 USDC β€’ 1 total finding β€’ Code4rena β€’ KupiaSec

#12

medium

PartyGovernance.sol#accept - passThresholdBps isn't cached for each proposal which can lead to problems, if changed through another proposal

NextGen

NextGen

801.18 USDC β€’ 3 total findings β€’ Code4rena β€’ KupiaSec

#14

high

Attacker can reenter to mint all the collection supply

medium

getPrice `salesOption` 2 can round down to the lower barrier, skipping the last time period

medium

Auction winner can prevent payments via `safeTransferFrom` callback

Jul '23

PoolTogether

PoolTogether

2,710.76 USDC β€’ 5 total findings β€’ Code4rena β€’ KupiaSec

#5

high

Resetting delegation will result in user funds being lost forever

high

`Vault.mintYieldFee` FUNCTION CAN BE CALLED BY ANYONE TO MINT `Vault Shares` TO ANY RECIPIENT ADDRESS

high

`_amountOut` is representing assets and shares at the same time in the `liquidate` function

high

The `_currentExchangeRate` of the Vault contract can't increase, and always be lower than or equal to `_assetUnit`

medium

`Vault.mintWithPermit()` can be DOSed

Jun '23

Lybra Finance

Lybra Finance

227.58 USDC β€’ 3 total findings β€’ Code4rena β€’ KupiaSec

#38

high

`_voteSucceeded()` returns true when `againstVotes > forVotes` and vice versa

medium

Liquidation won't work when bad and safe collateral ratio are set to default values

medium

`stakerewardV2pool.withdraw()` should check the user's boost lock status.

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

450.98 USDC β€’ 2 total findings β€’ Code4rena β€’ KupiaSec

#44

high

`UlyssesToken` asset ID accounting error

medium

`UlyssesToken.setWeights(...)` can cause user loss of assets on vault deposits/withdrawals