https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/e1b2b333-b4e4-49bc-9163-cfc3037a7638.jpg

T1MOH

Security Researcher

Hakuna Matata | ASR at Spearbit | Resident at Cantina |

Contact Me

High

4

Solo

62

Total

Medium

6

Solo

94

Total

$195.21K

Total Earnings

#47 All Time

49x

Payouts

gold

2x

1st Places

silver

3x

2nd Places

bronze

1x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Dec '24

bima-money

bima-money

43,154.42 USDC • 10 total findings • Cantina • T1MOH

gold

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Oct '24

stakeup-bloomv2

stakeup-bloomv2

105.1 USDC • 3 total findings • Cantina • T1MOH

#57

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

Jul '24

Zaros Part 1

Zaros Part 1

123.96 USDC • 4 total findings • CodeHawks • T1MOH

#46

high

Market Disruption and Financial Loss Post-Liquidation

high

`LiquidationBranch::checkLiquidatableAccounts()` executes `for` loop with wrong values, causing array out of bounds to be recovered, the program will not work as expected

medium

An Uninitialized Variable In The `MarketConfiguration::update` Function Causes The `PrepMarket::getIndexPrice` Function To Revert

low

Trading accounts can exceed the maximum number of allowed open positions.

MakerDAO Endgame

MakerDAO Endgame

4,232.56 USDC • Sherlock • T1MOH

#26

May '24

Beanstalk: The Finale

Beanstalk: The Finale

87,092.67 USDC • 43 total findings • CodeHawks • T1MOH

gold

high

`LibChainlinkOracle::getTokenPrice` will always return instantaneuous prices

high

LibUsdOracle will compromise Beanstalk peg due to wrong price and DoS

high

LibUsdOracle returns the wrong price for Uniswap Oracle

high

`ReseedSilo#reseedSiloDeposit` does not credit the user any `roots`

high

Successful transactions are not stored, causing a replay attack on ``redeemDepositsAndInternalBalances``

high

Internal balances are never actually migrated within `L2ContractMigrationFacet`

high

L2ContractMigrationFacet doesn't increase total Stalk and Roots

high

User's stalk is overwritten instead of increased within `ReseedSilo`

high

Grown Stalk is incorrectly calculated in ReseedSilo

high

L2ContractMigrationFacet migrates incorrect amount of Stalk

high

`L2ContractMigrationFacet.addMigratedDepositsToAccount()` doesn't update some global balances during the migration.

high

Possible loss of user's balances after calling `addMigratedDepositsToAccount()`.

high

ReseedSilo doesn't update total balances of Stalk and Roots

high

`LibPipelineConvert.executePipelineConvert()` doesn't decrease Grown Stalk when BDV decreases

high

ReseedBarn.sol doesn't initialize of `s.sys.fert.recapitalized`

high

`s.sys.silo.unripeSettings` are never set after migration which breaks Unripe functionality

medium

USD prices dont work for 20 hours per day

medium

The declaration and use of `LibTractor::BLUEPRINT_TYPE_HASH` are inconsistent with the structure `struct Blueprint`, and the standard is confusing. It is recommended to unify the standard

medium

`SiloFacet::transferDeposit` does not verify if amount is 0, leading to full withdrawal DoS for any recipient

medium

LibUsdOracle is completely broken for the to-deploy L2 chain

medium

quickSort function does not work as expected, compromising the calculation of Beans per Well to be minted during a flood

medium

When migrating via `L2ContractMigrationFacet`, user is not minted roots for the newly accrued stalk

medium

`LibSilo.transferStalk()` uses incorrect formula to roundUp

medium

`L2ContractMigrationFacet.addMigratedDepositsToAccount()` forfeits "unmowed" rewards from other Silo deposits

medium

`L2ContractMigrationFacet.addMigratedDepositsToAccount()` doesn't push depositId to `depositIdList`

medium

ReseedField.sol incorrectly configures Field values because of mistake in storage layout

medium

Invariable.sol won't save Bean from exploit because of flawed entitlement calculation

medium

Attacker can spam Plots to victim to cause DOS on Plot transfer

medium

Orderers will lose their Beans after migration to L2

medium

Potential Loss of Fertilizer ERC1155 NFTs During L1 to L2 Migration.

low

The `LibWeth` hardcodes the `WETH` address which makes it incompatible on the to-deploy L2 chain

low

LibUsdOracle inverses Chainlink TWAP price which results in incorrect price

low

`BeanL1RecieverFacet#recieveL1Beans()` would never work

low

Incorrect Hardcoded Block Time Assumptions in Beanstalk's LibDibbler

low

ETH/USD 1 hour period is too large for Optimism/Base L2 Chains and too small for Arbitrum/Avalanche leading to consuming stale price data.

low

The `DepotFacet` contract uses an incorrect `PIPELINE` address.

low

Cannot configure `temperature` in ReseedField due to type mismatch

low

`ReseedBarn.init()` will run out of gas due to minting firtilizers on some L2s

low

`LibWell.getBeanTokenPriceFromTwaReserves()` incorrectly assumes that token has 18 decimals

low

`LibWell.getWellTwaUsdLiquidityFromReserves()` returns liquidity with incorrect precision

low

`LibFertilizer.beginBarnRaiseMigration()` incorrectly checks that Oracle supports such token

low

SeasonGettersFacet returns the wrong totalDeltaB

low

UsdOracle reverts on tokens which are not wstETH, WETH, Bean

Euler-v2

Euler-v2

6,914 USDC • Cantina • T1MOH

#18

Apr '24

TITLES Publishing Protocol

TITLES Publishing Protocol

195.83 USDC • 2 total findings • Sherlock • T1MOH

#19

medium

`encodeData` is incorrectly calculated thus not compatible with EIP712

medium

Signature malleability breaks TitlesGraph.sol

DYAD

DYAD

585.68 USDC • 10 total findings • Code4rena • T1MOH

#15

high

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

high

Inability to perform partial liquidations allows huge positions to accrue bad debt in the system

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

high

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

medium

`VaultManagerV2.sol::burnDyad` function is missing an `isDNftOwner` modifier, allowing a user to burn another user's minted DYAD

medium

No incentive to liquidate small positions could result in protocol going underwater

medium

Value of kerosene can be manipulated to force liquidate users

medium

setUnboundedKerosineVault not called during deployment, causing reverts when querying for Kerosene value after adding it as a Kerosene vault

medium

No incentive to liquidate when CR <= 1 as asset received < dyad burned

Mar '24

vVv Vesting & Staking

vVv Vesting & Staking

431.72 USDC • Sherlock • T1MOH

#9

Feb '24

100x

100x

856.37 USDC • Sherlock • T1MOH

#5

Findings not publicly available for private contests.

Jan '24

JOJO Exchange Update

JOJO Exchange Update

802.17 USDC • 2 total findings • Sherlock • T1MOH

#4

high

All funds can be stolen from JOJODealer

medium

After withdraw user can be subject to immediate liquidation

Nov '23

metamorpho-and-periphery

metamorpho-and-periphery

3,633.32 USDC • 1 total finding • Cantina • T1MOH

#5

medium

Finding not yet public.

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

695.82 USDC • 2 total findings • Code4rena • T1MOH

#7

high

Owner cannot withdraw all interest due to wrong calculation of accrued interest in WithdrwaCarry

medium

No slippage protection for Market functions

Kelp DAO | rsETH

Kelp DAO | rsETH

130.28 USDC • 3 total findings • Code4rena • T1MOH

#32

high

The price of rsEHT could be manipulated by the first staker

high

Protocol mints less rsETH on deposit than intended

medium

Update in strategy will cause wrong issuance of shares

Oct '23

Open Dollar

Open Dollar

1,943.12 USDC • 6 total findings • Code4rena • T1MOH

#7

high

Missing debt check lets users start a debt auction of non-existent debt

high

Incorrect calculations for Surplus Auction creation cause massive surplus imbalances

medium

Unable to retrieve price information with CamelotRelayer contract

medium

Approved address can approve other addresses for an owner's safe

medium

Due to extremely short `votingDelay` and `votingPeriod`, governance is practically impossible.

medium

`ODSafeManager#allowSAFE()` cannot be executed either by the proxy contract or any other address.

The Wildcat Protocol

The Wildcat Protocol

525.61 USDC • 3 total findings • Code4rena • T1MOH

#16

high

Borrower has no way to update `maxTotalSupply` of `market` or close market.

medium

`setAnnualInterestBips()` can be abused to keep a market's reserve ratio at 90%

medium

`collectFees()` updates delinquency wrongly as `_writeState()` is called before assets are transferred

Brahma

Brahma

1,815.04 USDC • 1 total finding • Code4rena • T1MOH

bronze

medium

Module transactions will always fail because incompatible with Safe 1.5.0

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

39.31 USDC • 2 total findings • Code4rena • T1MOH

#49

high

All tokens can be stolen from `VirtualAccount` due to missing access modifier

medium

Incorrect source address decoding in RootBridgeAgent and BranchBridgeAgent's _requiresEndpoint breaks LayerZero communication

Centrifuge

Centrifuge

132.86 USDC • 1 total finding • Code4rena • T1MOH

#28

medium

Cached `DOMAIN_SEPARATOR` is incorrect for tranche tokens potentially breaking permit integrations

DittoETH

DittoETH

1,079.78 USDC • 12 total findings • CodeHawks • T1MOH

#13

high

Users Lose Funds and Market Functionality Breaks When Market Reachs 65k Id

medium

Possible DOS on deposit(), withdraw() and unstake() for BridgeReth, leading to user loss of funds

medium

User can create small position after exit with bid

medium

Division before multiplication results in lower `dittoMatchedShares` distributed to users

medium

Using a cached price in the critical shutdownMarket()

low

Loss of precision in `twapPriceInEther` due to division before multiplication

low

`onERC721Received()` callback is never called when new tokens are minted in Erc721Facet.sol

low

ETH cannot always be unstaked using Rocket Pool

low

Instant arbitrage opportunity through rETH and stETH price discrepancy

low

Partial filled short does not reset liquidation flag after user gets fully liquidated, meaning healthy position will still be flagged if the rest of the order gets filled.

low

Combined short record might exceed the maximum collateral ratio (CRATIO_MAX)

low

User will lose collateral in the exact case `cRatio == minimumCR`

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

41.45 USDC • Code4rena • T1MOH

#57

Dopex

Dopex

1,030.79 USDC • 7 total findings • Code4rena • T1MOH

#19

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

Incorrect precision assumed from RdpxPriceOracle creates multiple issues related to value inflation/deflation

medium

Inaccurate swap amount calculation in ReLP leads to stuck tokens and lost liquidity

medium

_curveSwap: getDpxEthPrice and getEthPrice is in wrong order

medium

`sync` function in `RdpxV2Core.sol` should be called in multiple scenarios to account for the balance changes that occurs

medium

No slippage protection for bonders

medium

Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`

Shell Protocol

Shell Protocol

1,933.59 USDC • 1 total finding • Code4rena • T1MOH

#7

high

Lack of Balance Validation

Sparkn

Sparkn

642.35 USDC • 1 total finding • CodeHawks • T1MOH

#10

medium

The `digest` calculation in `deployProxyAndDistributeBySignature` does not follow EIP-712 specification

veRWA

veRWA

9.82 USDC • Code4rena • T1MOH

#52

PoolTogether V5: Part Deux

PoolTogether V5: Part Deux

89.63 USDC • 1 total finding • Code4rena • T1MOH

#24

high

`rngComplete` function should only be called by `rngAuctionRelayer`

Tangible Caviar

Tangible Caviar

1,160.58 USDC • Code4rena • T1MOH

#12

Good Entry

Good Entry

1,120.8 USDC • 3 total findings • Code4rena • T1MOH

#9

high

Overflow can still happened when calculating `priceX8` inside `poolMatchesOracle` operation

high

V3Proxy swapTokensForExactETH does not send back to the caller the unused input tokens

medium

Return value of low level `call` not checked.

Jul '23

Moonwell

Moonwell

12,924.2 USDC • 5 total findings • Code4rena • T1MOH

silver

medium

Incorrect chainId of Base in deploy script will force redeployment

medium

Incorrect address is set as Wormhole Bridge, which breaks deploy

medium

Initial deploy won't succeed because of too high `initialMintAmount` for USDC market

medium

Proposals which intend to send native tokens to target addresses can't be executed

medium

`TemporalGovernor` can be bricked by `guardian`

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

1.17 USDC • 3 total findings • CodeHawks • T1MOH

#130

medium

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

medium

DSC protocol can consume stale price data or cannot operate on some EVM chains

medium

Chainlink oracle will return the wrong price if the aggregator hits `minAnswer`

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

2.47 USDC • 1 total finding • CodeHawks • T1MOH

#94

gas

Use Openzeppelin Minimal Clones to Save a Lot of Gas

Amphora Protocol

Amphora Protocol

9.43 USDC • Code4rena • T1MOH

#23

Axelar Network

Axelar Network

1,410.12 USDC • 2 total findings • Code4rena • T1MOH

#9

medium

InterchainProposalExecutor.sol doesn't support non-evm address as caller or sender

medium

Proposal requiring native coin transfers cannot be executed

Beam

Beam

542.92 USDC • Sherlock • T1MOH

silver

Jun '23

Lybra Finance

Lybra Finance

563.69 USDC • 4 total findings • Code4rena • T1MOH

#19

high

Governance wrongly calculates `_quorumReached()`

high

`_voteSucceeded()` returns true when `againstVotes > forVotes` and vice versa

medium

Due to inappropriately short `votingPeriod` and `votingDelay`, it is near impossible for the governance to function correctly.

medium

Liquidation won't work when bad and safe collateral ratio are set to default values

Llama

Llama

2,628.75 USDC • 2 total findings • Code4rena • T1MOH

#8

high

In `LlamaRelativeQuorum`, the governance result might be incorrect as it counts the wrong approval/disapproval.

medium

It is not possible to execute actions that require ETH (or other protocol token)

Stader Labs

Stader Labs

1,836.7 USDC • 3 total findings • Code4rena • T1MOH

#16

medium

`updatePoolAddress` functions always reverts when updating existing poolId

medium

`pause/unpause` functionnalities not implemented in many pausable contracts

medium

no bidder has incentive to bid the Auction except doing last-minute MEV due to fixed endBlock

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

9,223.28 USDC • 12 total findings • Code4rena • T1MOH

#8

high

Incorrect flow of adding liquidity in UlyssesRouter.sol

high

TalosBaseStrategy#init() lacks slippage protection

high

Rerange/rebalance should not use protocolFee as asset for adding liquidity

medium

Governance relies on current totalSupply of bHermes when calculate `proposalThresholdAmount` and `quorumVotesAmount`

medium

ERC4626PartnerManager.sol mints extra `partnerGovernance` tokens to itself, resulting in over supply of governance token

medium

`unstakeAndWithdraw` inside `BoostAggregator` could lose pendingRewards in certain case

medium

Wrong consideration of blockformation period causes incorrect votingPeriod and votingDelay calculations

medium

[M-01] Some functions in Talos contracts does not allow user to supply slippage and deadline, which may cause swap revert

medium

RestakeToken function is not permissionless

medium

Lack of slippage protection can lead to significant loss of user funds

medium

Deploy flow of Talos is broken

medium

UlyssesPool.sol does not match EIP4626 because of preview functions

Chainlink Cross-Chain Services: CCIP and ARM Network

Chainlink Cross-Chain Services: CCIP and ARM Network

201.79 USDC • Code4rena • T1MOH

#40

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

2,254.85 USDC • 10 total findings • Sherlock • T1MOH

silver

high

ETH/USD priceFeed address is used as BTC/USD

high

Wrong decimals for DAI/ETH chainlink priceFeed is used

high

No access control in rebalancer functions in USSD.sol

high

No slippage control when performing swap in USSD.sol

high

Protocol assumes DAI is $1

medium

Chainlink's latestRoundData return stale or incorrect result

medium

StableOracle contracts will return the wrong price for asset if underlying aggregator hits minAnswer

medium

StableOracleWBTC use BTC/USD chainlink oracle to price WBTC which is problematic if WBTC depegs

medium

`BuyUSSDSellCollateral()` always sells 0 amount if need to sell part of collateral

medium

Possible DOS of USSDRebalancer due to price deviation of oracle

Juicebox Buyback Delegate

Juicebox Buyback Delegate

321.72 USDC • Code4rena • T1MOH

#12

Ajna Protocol

Ajna Protocol

36.24 USDC • Code4rena • T1MOH

#49

Apr '23

JOJO Exchange

JOJO Exchange

364.96 USDC • 2 total findings • Sherlock • T1MOH

#25

medium

No slippage protection in FlashloanLiquidate makes liquidator lose money

medium

Missing `payable` in Subaccount.execute() leads to reverting calls to payable funcitons

Teller

Teller

1,192.30 USDC • 3 total findings • Sherlock • T1MOH

#8

high

Lender force Loan become default

medium

Market owner can sandwich `submitBid()` to receive the entire collateral in exchange for the principal

medium

Lenders will lose their loan repays in case of setting new lender manager

Frankencoin

Frankencoin

68.89 USDC • 2 total findings • Code4rena • T1MOH

#52

high

CHALLENGER_REWARD can be used to drain reserves and free mint

medium

Challengers and bidders can collude together to restrict the minting of position owner

Caviar Private Pools

Caviar Private Pools

15.31 USDC • 2 total findings • Code4rena • T1MOH

#67

medium

Royalty recipients will not get fair share of royalties

medium

`changeFeeQuote` will fail for low decimal ERC20 tokens

Rubicon v2

Rubicon v2

79.79 USDC • 6 total findings • Code4rena • T1MOH

#63

high

RubiconMarket batchOffer and batchRequote make offers as self; complete loss of funds for some types of tokens, for example WETH

high

Reward accounting is incorrect in BathBuddy contract

medium

BathBuddy contract should implement methods to pause and unpause contract

medium

Incorrect fee handling in Position.sol's Market Buy/Sell functions

medium

Incorrect calculations can occur when calling `Position._marketBuy` and `Position._marketSell` functions that do not include maker fee in `_fee`

medium

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

Mar '23

Asymmetry contest

Asymmetry contest

988.4 USDC • 3 total findings • Code4rena • T1MOH

#6

high

`WstEth` derivative assumes a ~1=1 peg of stETH to ETH

high

Reth `poolPrice` calculation may overflow

high

Price of sfrxEth derivative is calculated incorrectly

Canto Identity Subprotocols contest

Canto Identity Subprotocols contest

22.77 USDC • Code4rena • T1MOH

#27