Banner
https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/6101fa89-4343-4974-b7e3-ea2450bf16e0.jpg

Obsidian

Security Research Duo

@0xjuaan @0xSpearmint

Contact Me

High

11

Total

Medium

16

Total

$93.42K

Total Earnings

#100 All Time

4x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

bronze

1x

3rd Places

All

Sherlock

Cantina

Mar '25

MoreMarkets

MoreMarkets

Collaborative Audit • Sherlock • Obsidian

Feb '25

Stealth

Stealth

67,000 USDC • Sherlock • Obsidian

gold

Findings not publicly available for private contests.

Sep '24

uniswap-v4

uniswap-v4

18,451.8 USDC • 2 total findings • Cantina • juaan

#6

medium

Finding not yet public.

medium

Finding not yet public.

Aug '24

ZeroLend One

ZeroLend One

5,955.17 USDC • 17 total findings • Sherlock • Obsidian

silver

high

The owner of an NFT position that got liquidated will continue to earn rewards based on the amount supplied and borrowed pre-liquidation

high

Not converting user collateral from shares to assets in LiquidationLogic

high

getDebtBalance does not convert shares to asset

high

_accrueToTreasury (interest fee) does not increment total supply

high

Malicious attacker can inflate interest rate to steal funds from borrowers with no cost

high

Attacker can continually steal all the interest earned by suppliers in the vault

high

Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors

high

Anyone can reduce interest rate to effectively zero instantly

high

When bad debt is accumulated, the loss is not shared amongst all suppliers, instead the last to withdraw will experience a huge loss

high

An attacker can sandwich liquidations by borrowing the collateral to ensure the liquidation reverts

medium

Repaying loans via NFT position manager will always revert. User collateral will be stuck forever.

medium

Incorrect handling of allocation.assets=0 in CuratedVault.reallocate()

medium

Inconsistent rounding of rayMul() leads to failed repayment of tokens

medium

getAssetPrice stale price threshold of 1800 is too small, this makes the protocol unusable

medium

executeMintToTreasury does not update interest rate

medium

getAssetPrice does not account for the decimals returned by chainlink, an attacker can use this to steal supplied funds

medium

A malicious attacker can frontrun and grief the deposit of the first depositor

Sentiment V2

Sentiment V2

2,009.44 USDC • 8 total findings • Sherlock • Obsidian

bronze

high

By inflating the value of a pool share, a malicious actor can steal a large amount of funds

medium

ChainlinkOracle does not check if the returned price is outside the min/max range for the token

medium

Attacker can take advantage of high LTV tokens to create bad debt for the protocol

medium

The RedstoneCoreOracle has a constant stale price threshold, this is dangerous to use with tokens that have a smaller threshold as the oracle will report stale prices as valid

medium

SuperPool inherits pausable but none of the functions have the `whenNotPaused` modifier

medium

`deploySuperPool` will revert if the asset is USDT

medium

The `convertToShares()` function is not ERC 4626 compliant

medium

Liquidation fee is incorrectly calculated, leading to unprofitable liquidations