https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_5.png

LZ_security

Security Researcher

Contact Me

High

6

Solo

61

Total

Medium

8

Solo

79

Total

$246.79K

Total Earnings

#35 All Time

47x

Payouts

gold

1x

1st Places

silver

6x

2nd Places

bronze

6x

3rd Places

All

Sherlock

Code4rena

Cantina

Feb '25

Babylon Chain Launch (Phase-2)

Babylon Chain Launch (Phase-2)

157,894.73 USDC • 2 total findings • Sherlock • LZ_security

gold

high

The EXPIRED judgment does not include the current block

high

If the Covenant signature does not pass , EXPIRED events it will still be executed.

Jan '25

Plaza Finance

Plaza Finance

294.44 USDC • 5 total findings • Sherlock • ZeroTrust

#28

high

In the create() and redeem() functions, the lastFeeClaimTime is not updated, which leads to incorrect fee calculations.

high

The joinBalancerPool() function does not return the remaining assets to the user.

medium

bid() will result in a denial of service (DoS) attack if the bidder address is on the blacklist.

medium

In the joinBalancerAndPredeposit() function, the remaining Balancer Pool Tokens are not returned to the user.

medium

It is possible to manipulate the price of the BondToken by constructing a dexPool.

Allora v0.8.0 Update

Allora v0.8.0 Update

8,305.77 USDC • Sherlock • LZ_security

bronze

Findings not publicly available for private contests.

Dec '24

Autonomint Colored Dollar V1

Autonomint Colored Dollar V1

86.42 OP • 4 total findings • Sherlock • LZ_security

#25

high

Using LayerZero for synchronizing global states between two chains may lead to overwriting of global states.

high

In redeemUSDT(), users can arbitrarily set the price parameters.

high

In the liquidate() function, the remaining gas fee should be allocated to the caller (admin) instead of the user.

medium

The position of calculateCumulativeRate in the depositTokens() and withDraw() functions is incorrect.

Nov '24

MANTRA Chain

MANTRA Chain

1,034.01 USDC • 1 total finding • Code4rena • zhaojie

#9

medium

Resolver is not initialized in the protocol's keeper

Oct '24

Usual V1

Usual V1

3,354.08 USDC • 1 total finding • Sherlock • LZ_security

silver

high

The UsualSP::removeOriginalAllocation() function is missing the update of the user’s reward data.

Mento x Good$ Integration

Mento x Good$ Integration

750 USDC • Sherlock • ZeroTrust

bronze
Orderly Solana Vault Contract

Orderly Solana Vault Contract

2,793.60 USDC • 2 total findings • Sherlock • LZ_security

silver

high

In the deposit() function, due to the lack of a check on deposit_token, an attacker can use the Mint of any token to replace the Mint of USDC.

medium

The absence of the addExecutorOrderedExecutionOption parameter causes the ordered delivery mode to fail.

Sep '24

infinitypools

infinitypools

5,395.77 USDC • 1 total finding • Cantina • lian886

#9

high

Finding not yet public.

Kakarot

Kakarot

616.72 USDC • 1 total finding • Code4rena • zhaojie

#15

medium

Reentrancy check in account_contract can be easily circumvented

WOOFi Swap on Solana

WOOFi Swap on Solana

101.15 USDC • 1 total finding • Sherlock • LZ_security

#6

medium

Missing permission control in create_oracle and create_pool.

Flayer

Flayer

3,855.25 USDC • 17 total findings • Sherlock • ZeroTrust

silver

high

There is a logical error inside the ProtectedListings::adjustPosition() function, which could lead to manipulation of users’ interest.

high

There is a calculation error inside the calculateCompoundedFactor() function, causing users to overpay interest.

high

The relist() function lacks a check on listing.created, which allows borrowing money from the listing without incurring interest.

high

Due to the delay in converting token1 fees into token0 (WETH) fees in beforeSwap(), an attacker can execute a sandwich attack to gain risk-free profits.

high

InfernalRiftBelow.thresholdCross verify the wrong msg.sender

high

InfernalRiftBelow.claimRoyalties no verification msg.sender

high

Users with more than 50% of the voting rights can steal other users' tokens.

high

The shutdown can still be canceled after execute, causing users to fail to claim tokens.

high

The tokens (collectionTokens and WETH) used for initializeCollection() to create a liquidity position are permanently locked in Uniswap V4.

medium

The fee set by the setFee() function will not take effect.

medium

The unused tokens from the user’s initialization of UniswapV4‘s pool will be locked in the UniswapImplementation contract.

medium

There is a logical error in the removeFeeExemption() function.

medium

There is a calculation error inside the modifyListings() function.

medium

There is a logical error in the _distributeFees() function, resulting in an unfair distribution of fees.

medium

An attacker can block the execution of CollectionShutdown.execute

medium

In the unlockProtectedListing() function, the interest that was supposed to be distributed to LP holders was instead burned.

medium

Malicious users can exploit createListings() and liquidateProtectedListing() functions in the ProtectedListings contract to replace Listings::createListings() in order to evade paying the tax fee.”

Aug '24

Superposition

Superposition

0 USDC • Code4rena • zhaojie

#34

Sentiment V2

Sentiment V2

443.81 USDC • 5 total findings • Sherlock • ZeroTrust

#19

medium

The liquidate() function requires that after liquidation, the position must be in a healthy state. This may result in certain positions never being liquidated if they cannot reach a healthy state, potentially leaving them in limbo.

medium

The getValueInEth function should include a price refresh mechanism to prevent outdated prices from causing financial losses for users.

medium

The liquidationFee should be applied to the profit from the liquidation, rather than to all the assets obtained by the liquidator.

medium

Using forceApprove instead of approve

medium

The issue regarding the missing pause functionality has not been resolved.

Jul '24

LoopFi

LoopFi

2,579.53 USDC • 11 total findings • Code4rena • lian886

#8

high

There is a calculation error in AuraVault::redeem().

high

AuraVault inherits AccessControl BUT does not call the _setupRole() function in it's constructor to set the initial roles, this leads to a complete DOS of the important claim function rendering the contract unable to claim rewards

high

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

medium

Discrepency b/w the `lastRewadTime` and the `lastAllPoolUpdate` can allow for incorrect reward distribution to pools if `registerRewardDeposit` deposits less assets

medium

The debt in EligibilityDataProvider::requiredUsdValue() needs to be converted into USD; otherwise, it is not a correct value comparison.

medium

In `PositionActionPendle::_onDecreaseLever`, `tokenOut` is implemented incorrectly.

medium

Because of the Asset:Share 1:1 Conversion, if Vault Incur a Loss, the Last User to Withdraw Will Take The Entire Loss

medium

In CDPVault::liquidatePositionBadDebt(), the calculation of `loss` is incorrect.

medium

PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.

medium

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

medium

`PositionAction.sol#onCreditFlashLoan` may have leftover tokens after conducting `leverParams.auxSwap`.

LoopFi

LoopFi

72.18 USDC • 2 total findings • Code4rena • zhaojie

#40

high

AuraVault inherits AccessControl BUT does not call the _setupRole() function in it's constructor to set the initial roles, this leads to a complete DOS of the important claim function rendering the contract unable to claim rewards

medium

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

Jun '24

Allora

Allora

12,731.09 USDC • 9 total findings • Sherlock • LZ_security

bronze

high

Malicious Reputer cause emissions/msgserver/InsertBulkReputerPayload to fail

high

RemoveDelegateStake/RemoveStake can write negative value

high

InsertBulkReputerPayload can be DoS

high

emissions/keeper/GetIdsOfActiveTopics may always return empty array []

medium

When a single node(blockless server) is attacked, the entire chain is attacked.

medium

The malicious node may not execute the http request

medium

The issue of SLOW ABCI METHODS has not been resolved.

medium

The SelectTopNWorkerNonces function lacks a sorting algorithm internally.

medium

topic_rewards/SafeApplyFuncOnAllActiveEpochEndingTopics used the wrong parameters

Notional Leveraged Vaults: Pendle PT and Vault Incentives

Notional Leveraged Vaults: Pendle PT and Vault Incentives

5,104.26 USDC • 8 total findings • Sherlock • ZeroTrust

silver

high

In the _splitWithdrawRequest() function, there exists an issue that causes both the from and to requestId to be 0

high

`EtherFiLib::_initiateWithdrawImpl` will revert because rebase tokens transfer 1-2 less wei

high

The lack of slippage protection in `EthenaLib::_sellStakedUSDe()` could lead to sandwich attacks.

high

The _redeemPT function lacks slippage protection.

high

The withdrawValue calculation in _calculateValueOfWithdrawRequest is incorrect.

medium

After a liquidator liquidates someone else’s position, it could cause a Denial of Service (DoS) when their own position also needs to be liquidated.

medium

The _getValueOfWithdrawRequest function uses different methods for selecting assets in various vaults.

medium

A failed rewardToken transfer results in a loss for the user

eBTC Zap Router

eBTC Zap Router

1,912.82 USDC • 1 total finding • Code4rena • lian886

#5

medium

Incorrect Comparison Logic in Post-Operation Checks

May '24

Canto

Canto

7,330.48 USDC • 1 total finding • Code4rena • zhaojie

silver

medium

An attacker can DoS a coinswap pool

Gamma - Locked Staking Contract

Gamma - Locked Staking Contract

133.81 USDC • 1 total finding • Sherlock • no

bronze

medium

Calculating reward in `exitLateById` is not right

Elfi

Elfi

2,493.00 USDC • 10 total findings • Sherlock • ZeroTrust

bronze

high

Logical error in the _executeRedeemStakeToken function in RedeemProcess.sol

high

Logical error in the getPoolIntValue function in LpPoolQueryProcess.sol

high

The `executeUpdateLeverageRequest` function is missing the operation to update the borrowing fee

high

When a user opens a short position, there is a lack of checks on the liquidity pool, which can result in the user being unable to realize their profits if they succeed.

high

In Cross Margin mode, the user’s profit calculation is incorrect.

medium

Logical error in the processExecutionFee function GasProcess.sol

medium

Using the .call() method to refund the refundFee In processExecutionFee may result in excessive gas consumption and potential reentrancy attacks.

medium

Missing executionFee in the function `createWithdrawRequest`

medium

The check for the user’s collateralUserCap is missing params.amount in AssetsProcess::deposit()

medium

The balance.unsettledAmount is missing in the calculations for `getMaxWithdraw` and `isSubAmountAllowed` in UsdPool.sol

Napier Finance - LST/LRT Integrations

Napier Finance - LST/LRT Integrations

851.14 USDC • 4 total findings • Sherlock • no

#7

medium

Using deprecated interfaces `PUFFER_DEPOSITOR.depositStETH()` causes DOS

medium

Invalid check for repayAmount in `MetapoolRouter::receiveFlashLoan` cause DOS

medium

Checking `RSETH_DEPOSIT_POOL.minAmountToDeposit()` in `RsETHAdapter::_stake()` causes Dos

medium

Checking return share in `_stake()` causes Dos

Apr '24

Teller Finance

Teller Finance

619.78 USDC • 8 total findings • Sherlock • no

#8

high

Burning shares token before calculating in `burnSharesToWithdrawEarnings()` causing error result

high

Use safeTransferFrom() instead of transferFrom()

high

Checking for Collateral required in LenderCommitmentGroup_Smart::acceptFundsForAcceptBid is incorrect

high

`TellerV2::repayLoan()` can be frontrun to profit from an increase in share price

high

Missing interest when calculating Amount owed for a bid in `LenderCommitmentGroup_Smart::liquidateDefaultedLoanWithIncentive()`

high

The collateral Token is mistakenly given to the lender when the liquidator call liquidateDefaultedLoanWithIncentive()

medium

`sharesExchangeRate()` may be zero causing Users mint zero shares token in `lenderCommitmentGroupSmart.addPrincipalToCommitmentGroup()`

medium

Calling the wrong function name in `FlashRolloverLoan_G5::_acceptCommitment()` resulted in a Denial of Service (DOS)

DYAD

DYAD

761.33 USDC • 4 total findings • Code4rena • lian886

#8

high

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

high

Flash loan protection mechanism can be bypassed via self-liquidations

medium

Incorrect deployment / missing contract will break functionality

Mar '24

vVv Vesting & Staking

vVv Vesting & Staking

4.31 USDC • Sherlock • no

#37

Acala

Acala

3,420.86 USDC • 2 total findings • Code4rena • zhaojie

bronze

high

Early user can break pool via inflation attack due to no minimum liquidity check in the incentive contract

medium

Incentive accumulation can be sandwiched with additional shares to gain advantage over long-term depositors

Axis Finance

Axis Finance

421.39 USDC • 1 total finding • Sherlock • no

#15

high

Missing `configureClaimableGas()` in the constructor function of `BlastGas`

Zap Protocol

Zap Protocol

9.97 USDC • 1 total finding • Sherlock • no

#12

high

Reentrancy in `Vesting::claim()` allows draining Vesting pool

Amphor

Amphor

38.91 USDC • 1 total finding • Sherlock • no

#12

medium

In `VaultZapper::_transferTokenInAndApprove`, check the wrong `owner` for the allowance of `spender` over the tokenIn.

Abracadabra Mimswap

Abracadabra Mimswap

15.33 USDC • Code4rena • zhaojie

#24

PoolTogether

PoolTogether

1.47 USDC • 1 total finding • Code4rena • zhaojie

#29

high

Any fee claim lesser than the total `yieldFeeBalance` as unit of shares is lost and locked in the `PrizeVault` contract

Phat Contract Runtime

Phat Contract Runtime

15,225.87 USDC • 2 total findings • Code4rena • zhaojie

silver

medium

An attacker can crash the cluster system by sending an HTTP request with a huge timeout

medium

A cache that times out can be recovered.

Feb '24

HydraDX

HydraDX

302.93 USDC • 1 total finding • Code4rena • zhaojie

#12

medium

[M09] No slippage check in `remove_liquidity` function in omnipool can lead to slippage losses during liquidity withdrawal.

Jan '24

Salty.IO

Salty.IO

588.55 USDC • 7 total findings • Code4rena • zhaojie

#21

high

User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated

high

First depositor can break staking-rewards accounting

high

First Liquidity provider can claim all initial pool rewards

medium

DOS of proposals by abusing ballot names without important parameters

medium

SALT staker can get extra voting power by simply unstaking their xSALT

medium

Reusing a SALT that has already been used for voting can allow a malicious proposal to pass and compromise the protocol.

medium

Creation of token whitelisting proposals can be DOS'd

Curves

Curves

1,418.95 USDC • 6 total findings • Code4rena • zhaojie

#8

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

medium

A subject creator within a single block can claim holder fees without holding due to unprotected reentrancy path

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

Theft of holder fees when `holderFeePercent` was positive and is set to zero

Dec '23

Revolution Protocol

Revolution Protocol

1,220.27 USDC • 3 total findings • Code4rena • zhaojie

#5

medium

ERC20TokenEmitter will not work after a certain period of time

medium

Since buyToken function has no slippage checking, users can get less tokens than expected when they buy tokens directly

medium

The quorumVotes can be bypassed

Ethereum Credit Guild

Ethereum Credit Guild

6.82 USDC • 1 total finding • Code4rena • zhaojie

#86

medium

Malicious borrower can decrease Guild holders reward

Nov '23

ZetaChain

ZetaChain

3,338.94 USDC • 7 total findings • Code4rena • zhaojie

#8

high

Broken `NonceVoter` Allows Observer to Halt the Chain

medium

Possible index out of range in GetVoterIndex could cause ballot to never finalize due to panic

medium

An already executed InTxTracker can still be added

medium

Arbitrary destination gas limit for `CoinType_Zeta` cctxs results in paying lower gas fees

medium

Funds from reverted transaction may be lost/locked

medium

User not refunded for failed Zeta gas payment in cross chain transaction

medium

Limited Voting Options Allow Ballot Creation Spam

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

5.45 USDC • 1 total finding • Code4rena • zhaojie

#29

medium

No slippage protection for Market functions

Kelp DAO | rsETH

Kelp DAO | rsETH

119.47 USDC • 3 total findings • Code4rena • zhaojie

#33

high

The price of rsEHT could be manipulated by the first staker

high

Protocol mints less rsETH on deposit than intended

medium

Update in strategy will cause wrong issuance of shares

Majora

Majora

Collaborative Audit • Sherlock • ZeroTrust

Oct '23

NextGen

NextGen

35.61 USDC • 2 total findings • Code4rena • zhaojie

#70

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

medium

On a Linear or Exponential Descending Sale Model, a user that mint on the last `block.timestamp` mint at an unexpected price.

Ethena Labs

Ethena Labs

4.52 USDC • Code4rena • zhaojie

#40

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

25.68 USDC • Code4rena • zhaojie

#55

Aug '23

veRWA

veRWA

47.44 USDC • 1 total finding • Code4rena • zhaojie

#39

high

Delegated votes are locked when owner lock is expired

Jul '23

Tapioca DAO

Tapioca DAO

1,008.34 USDC • 1 total finding • Code4rena • zhaojie

#47

medium

The sending failure of _lzSend is not considered

Basin

Basin

17.52 USDC • Code4rena • zhaojie

#26