https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/d5a7a546-e93e-4243-aa2f-4e087641078d.jpg

Respx

Security Researcher

Security Engineer at @sigp_io. Graduate of @TheSecureum Epoch Zero. Player of @nodeguardians.

Contact Me

High

Total

Medium

Total

$32.31K

Total Earnings

#264 All Time

12x

Payouts

1x

1st Places

1x

2nd Places

2x

3rd Places

All

Sherlock

Code4rena

Aug '24

Chakra

40.99 USDT • 5 total findings • Code4rena • Respx

#41

high

There is no refund mechanism in `ChakraSettlement.processCrossChainCallback` or `ChakraSettlementHandler.receive_cross_chain_callback` function

high

`ChakraSettlement.receive_cross_chain_msg` and `ChakraSettlement.receive_cross_chain_callback` functions do not ensure that receiving `ChakraSettlement` contract's `contract_chain_name` must match `to_chain` corresponding to respective `txid` input though

high

SettlementSignatureVerifier is missing check for duplicate validator signatures

high

In Starknet already processed messages can be re-submitted and by anyone

high

handler's `receive_cross_chain_callback()` will always set the tx_status to `SETTLED` on source chain & burn the tokens (MintBurn Mode) even when the msg fails on destination

Mar '23

Canto Identity Subprotocols contest

19.87 USDC • 1 total finding • Code4rena • Respx

#28

medium

Bio Protocol - `tokenURI` JSON injection

Y2K

776.35 USDC • 5 total findings • Sherlock • Respx

#19

high

Users can avoid all deposit fees by depositing through the carousel queue and immediately relaying

high

Queued deposits can be trapped by a rogue depositing contract that reverts when in the queue

high

Re-enlisting in a rollover allows modification of other users' rollover amounts/delisting their rollovers

medium

A slow response or a denial of service attack could prevent the resolution of a brief depeg

medium

Carousel rollover queues can become clogged with small items

Feb '23

Surge

6.94 USDC • 1 total finding • Sherlock • Respx

#21

medium

Pool tokens are susceptible to double use of an allowance

Sep '22

Frax Ether Liquid Staking contest

271.25 USDC • 3 total findings • Code4rena • Respx

#15

medium

Rewards delay release could cause yields steal and loss

medium

removeValidator() and removeMinter() may fail due to exceeding gas limit

medium

frxETHMinter.depositEther may run out of gas, leading to lost ETH

VTVL contest

1,611.82 USDC • 2 total findings • Code4rena • Respx

medium

_baseVestedAmount() and vestedAmount() Return Incorrect Historical Values

medium

Reentrancy may allow an admin to steal funds

Y2k Finance contest

1,006.63 USDC • 3 total findings • Code4rena • Respx

#11

high

Incorrect handling of pricefeed.decimals()

high

Griefing attack on the Vaults is possible, withdrawing the winning side stakes

medium

StakingRewards: recoverERC20() can be used as a backdoor by the owner to retrieve rewardsToken

Canto Dex Oracle contest

2,772.1 CANTO • 1 total finding • Code4rena • Respx

medium

System is Vulnerable to Downtime and has no Checks for it

Nouns Builder contest

106.2 USDC • Code4rena • Respx

#85

Aug '22

Nouns DAO contest

10,610.11 USDC • 1 total finding • Code4rena • Respx

medium

Voters can burn large amounts of Ether by submitting votes with long reason strings

FIAT DAO veFDT contest

12,925.77 USDC • 2 total findings • Code4rena • Respx

high

Delegators can Avoid Lock Commitments if they can Reliably get Themselves Blocked when Needed

medium

Blocking Through Change of Blocklist Could Trap Tokens

Jul '22

Axelar Network v2 contest

2,166.27 USDC • 1 total finding • Code4rena • Respx

medium

Change of operators possible from old operators