https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/044d3a4b-d49d-4113-91bb-7b84911cc15b.jpg

MalfurionWhitehat

Security Researcher

Independent Security Researcher ZKP master Shan'do Co-ruler of the night elves First of the Druids Arch-Druid of the Moonglade

Contact Me

High

7

Total

Medium

2

Solo

9

Total

$15.96K

Total Earnings

#418 All Time

9x

Payouts

silver

1x

2nd Places

regular

3x

Top 10

regular

6x

Top 25

All

Sherlock

Code4rena

Mar '25

Forte: Float128 Solidity Library

Forte: Float128 Solidity Library

5.37 USDC • 1 total finding • Code4rena • MalfurionWhitehat

#27

high

Natural Logarithm Function Silently Accepts Invalid Non-Positive Inputs

Apr '23

JOJO Exchange

JOJO Exchange

286.02 USDC • 1 total finding • Sherlock • MalfurionWhitehat

#31

high

Lack of access control in FlashloanRepay, FlashloanLiquidate, GeneralRepay, and DepositStableCoinToDealer can lead to user loss of funds

ENS Contest

ENS Contest

11,952.84 USDC • 1 total finding • Code4rena • MalfurionWhitehat

silver

medium

Missing recursive calls handling in `OffchainDNSResolver` CCIP-aware contract

Rubicon v2

Rubicon v2

491.43 USDC • 4 total findings • Code4rena • MalfurionWhitehat

#28

high

DOS of market operations with malicious offers

medium

Incorrect calculations can occur when calling `Position._marketBuy` and `Position._marketSell` functions that do not include maker fee in `_fee`

medium

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

medium

Calling `ExpiringMarket.stop` and `ExpiringMarket.isClosed` functions cannot pause any functionlities of the market

Feb '23

Surge

Surge

10.60 USDC • 2 total findings • Sherlock • MalfurionWhitehat

#20

high

Pool is vulnerable to inflation attack

medium

Pool approve/transferFrom is vulnerable to race condition

Carapace

Carapace

307.35 USDC • 2 total findings • Sherlock • MalfurionWhitehat

#20

high

Protection seller will lose unlocked capital if it fails to claim during more than one period

high

Gas Limit Denial of Service via unbounded operations on active protections enumerable set

Jan '23

Ajna

Ajna

1,987.54 USDC • 2 total findings • Sherlock • MalfurionWhitehat

#6

medium

Memorializing an NFT position on the same bucket of a previously memorialized NFT locks redemption

medium

Minting an NFT with a position on the same bucket as a previously minted NFT changes its deposit time

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

771.51 USDC • 2 total findings • Code4rena • MalfurionWhitehat

#13

high

`FeeRefund.tokenGasPriceFactor` is not included in signed transaction data allowing the submitter to steal funds

medium

[Medium-3] Non-compliance with EIP-4337

Notional Update

Notional Update

144.57 USDC • 1 total finding • Sherlock • MalfurionWhitehat

#5

medium

Possible division by zero depending on `TradingModule.getOraclePrice` return values