https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/1bc126e9-739d-40cf-a6a1-b4e617337ddc.jpg

McToady

Security Researcher

Solidity. ETH. Join our gen art cult @CircolorsDAO

Contact Me

High

19

Total

Medium

15

Total

$2.89K

Total Earnings

#912 All Time

14x

Payouts

regular

2x

Top 10

regular

5x

Top 25

regular

9x

Top 50

All

Sherlock

Code4rena

Cantina

Sep '24

Flayer

Flayer

242.15 USDC • 4 total findings • Sherlock • McToady

#41

high

Users collection tokens are stuck in `CollectionShutdown` contract if the shutdown is cancelled after they place their vote

high

`_listing` mapping not deleted when calling `Listings::reserve` can lead to a token being sold when it shouldn't be for sale

high

Mismatch of index and array lengths in `ProtectedListings` checkpoint when actions happen at the same timestamp causes an out of bounds array access revert

medium

`CollectionShutdown::execute` does not check all tokens are being pulled from the locker when sunsetting a collection, meaning tokens can end up permanently stuck in the locker contract

Aug '24

Phi

Phi

1,160.52 USDC • 6 total findings • Code4rena • McToady

#4

high

Reentrancy Vulnerability Allows Bypass of Cooldown, Leading to Unfair Reward Extraction Through Flash Loan

high

Signature replay in `signatureClaim` results in unauthorized claiming of rewards

high

Exposed `_removeCredIdPerAddress` & `_addCredIdPerAddress` allows anyone to cause issues to current holders as well as upcoming ones

high

Signature replay in `createArt` allows to impersonate artist and steal royalties

medium

Refunds sent to incorrect addresses in certain cases

medium

Lack of data validation when users are claiming their art allows malicious user to bypass signature/merkle hash to provide unapproved `ref_`, `artId_` and `imageURI`

Jul '24

TraitForge

TraitForge

0 USDC • 1 total finding • Code4rena • McToady

#89

high

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

Munchables

Munchables

87.16 USDC • 1 total finding • Code4rena • McToady

#35

high

Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot

Velocimeter

Velocimeter

249.41 USDC • 2 total findings • Sherlock • McToady

#30

high

Malicious user can permanently extend a users LP lock in gauge by calling `OptionTokenV4::exerciseLp` and setting the user as `_recipient`

high

Malicious User can spam `VotingEscrow::create_lock_for` to DoS a user from creating their own position or delegating their votes

May '24

YOLO Games

YOLO Games

198.3 USDC • 1 total finding • Cantina • mctoady

#14

medium

Finding not yet public.

Mar '24

Smart-contracts

Smart-contracts

315.58 USDC • 1 total finding • Cantina • mctoady

#25

high

Finding not yet public.

PoolTogether

PoolTogether

33.22 USDC • 1 total finding • Code4rena • McToady

#26

high

Any fee claim lesser than the total `yieldFeeBalance` as unit of shares is lost and locked in the `PrizeVault` contract

Feb '24

UniStaker Infrastructure

UniStaker Infrastructure

266.89 USDC • Code4rena • McToady

#7

AI Arena

AI Arena

79.27 USDC • 9 total findings • Code4rena • McToady

#64

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

medium

Minter / Staker / Spender roles can never be revoked`..,

medium

Can mint NFT with the desired attributes by reverting transaction

medium

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

medium

Fighter created by mintFromMergingPool can have arbitrary weight and element

Jan '24

Curves

Curves

248.13 USDC • 4 total findings • Code4rena • McToady

#18

high

Unauthorized Access to setCurves Function

medium

Single token purchase restriction on curve creation enables sniping

medium

Selling will be bricked if all other tokens are withdrawn to ERC20 token

medium

onBalanceChange causes previously unclaimed rewards to be cleared

Dec '23

Revolution Protocol

Revolution Protocol

2.67 USDC • 1 total finding • Code4rena • McToady

#74

medium

Bidder can use donations to get VerbsToken from auction that already ended.

Nov '23

Kelp DAO | rsETH

Kelp DAO | rsETH

2.76 USDC • Code4rena • McToady

#54

Apr '23

Rubicon v2

Rubicon v2

4.26 USDC • 3 total findings • Code4rena • McToady

#108

high

DOS of market operations with malicious offers

medium

Fee inclusivity calculations are inaccurate in RubiconMarket

medium

Calling `ExpiringMarket.stop` and `ExpiringMarket.isClosed` functions cannot pause any functionlities of the market