https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/9b0d1060-3b87-409d-bb36-98b71f2217b9.jpg

Tendency

Security Researcher

security Researcher | | Warden Application Reviewer @code4rena

Contact Me

High

31

Total

Medium

2

Solo

30

Total

$14.24K

Total Earnings

#432 All Time

24x

Payouts

silver

1x

2nd Places

bronze

2x

3rd Places

regular

7x

Top 10

All

Sherlock

Code4rena

Cantina

Oct '24

Orderly Solana Vault Contract

Orderly Solana Vault Contract

1,997.97 USDC • 2 total findings • Sherlock • Tendency

bronze

high

Unchecked `deposit_token` Allows Malicious Token Substitution During Withdrawals

high

Inadequate User Verification Allows Unauthorized Token Redirection

Sep '24

Flayer

Flayer

795.08 USDC • 6 total findings • Sherlock • Tendency

#21

high

When reListing, Fees are Wrongly also Refunded For Liquidation Listings

high

Incorrect Checkpoint Index Handling When Timestamps Match Between Updates

high

Compounded Factor Miscalculated Due to Improper Interest Rate Scaling

high

L1 to L2 Token Transfers Always Fail Due to Alias Address Check Error

medium

Faulty Exemption Check Prevents Fee Removal and Correct Fee Application in `UniswapImplementation`

medium

Users Can Block the Owner from Executing a Collection Shutdown by Creating Listings

Aug '24

Perennial V2 Update #3

Perennial V2 Update #3

219.16 USDC • 1 total finding • Sherlock • Tendency

#8

medium

An Attacker can Cancel Any Accounts Group thus DoSing Supposed Valid Txns

ZeroLend One

ZeroLend One

238.55 USDC • 4 total findings • Sherlock • Tendency

#29

high

Error in `PositionBalanceConfiguration::getSupplyBalance`

high

Inconsistent Borrow Shares Handling Prevents Full Debt Repayment

high

Flawed Treasury Share Handling Could DoS Some Users from Withdrawing

high

Erroneous Debt Share Handling in Liquidation Logic

Sentiment V2

Sentiment V2

68.32 USDC • 1 total finding • Sherlock • Tendency

#38

medium

Inclusion of Unrecognized Assets in Position Health Checks Leads to Inaccurate Assessments and Potential DoS

Apr '24

Renzo

Renzo

13.98 USDC • 3 total findings • Code4rena • Tendency

#45

high

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

high

Incorrect calculation of queued withdrawals can deflate TVL and increase ezETH mint rate

medium

Deposits will always revert if the amount being deposited is less than the bufferToFill value

Zivoe

Zivoe

659.01 USDC • 6 total findings • Sherlock • Tendency

#21

high

After ITO Ends, Users Claimable `$ZVE` Tokens are Prone to Manipulation

high

Revoking a Schedule Will DoS Some Withdrawals

high

Users Never Lose Their Assigned Weight After Their Vesting Schedule is Revoked

medium

`ema` is miscalculated during the first yield distribution

medium

Deposited Rewards Could Be Stuck

medium

Strict Allowance Check Could Brick a Major Functionality in `OCL_ZVE`

Mar '24

Smart-contracts

Smart-contracts

161.03 USDC • 1 total finding • Cantina • tendency

#27

high

Finding not yet public.

RadicalxChange

RadicalxChange

1.18 USDC • 1 total finding • Sherlock • Tendency

bronze

high

The Highest Bidder Can Maliciously Cancel His Bid Just Before Closing the Auction

Taiko

Taiko

2,740.36 USDC • 2 total findings • Code4rena • Tendency

#9

high

Signatures can be replayed in `withdraw()` to withdraw more tokens than the user originally intended.

medium

The top tier prover can not re-prove

Telcoin Platform Audit Update

Telcoin Platform Audit Update

228.70 USDC • 1 total finding • Sherlock • Tendency

silver

medium

StableCoin BlackListing Feature is Ineffective

Feb '24

Tapioca

Tapioca

3,620.58 USDC • 7 total findings • Sherlock • Tendency

#8

high

Flaw in Cross-Chain Approval System Raises Risk of Unauthorized Token Transfers

medium

Exercising Options In a destination Chain for Some msg Type is Impossible

medium

Incorrect `tapOft` Amounts Will Be Sent to Desired Chains on Certain Conditions

medium

`mTOFT::wrap` Function, Doesn't Work Rightly When Wrapping Native Tokens

medium

MIssing Admin Setters for `_pause()` and `_unpause()`

medium

Flawed Initialization in `BigBang` Contract: `minMintFeeStart` Exceeds `maxMintFeeStart`

medium

Underflow Vulnerability in `Market::_allowedBorrow` Function: Oversight with Pearlmit Allowance Handling

Althea Liquid Infrastructure

Althea Liquid Infrastructure

80.56 USDC • 1 total finding • Code4rena • Tendency

#25

medium

`LiquidInfrastructureERC20.sol` disapproved holders keep part of the supply, diluting approved holders revenue.

AI Arena

AI Arena

3.25 USDC • 4 total findings • Code4rena • Tendency

#148

high

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

medium

Fighter created by mintFromMergingPool can have arbitrary weight and element

Jan '24

Decent

Decent

148.47 USDC • 3 total findings • Code4rena • Tendency

#32

high

When `DecentBridgeExecutor.execute` fails, funds will be sent to a random address

high

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

medium

DecentEthRouter.sol#_bridgeWithPayload() - Any refunded ETH (native token) will be refunded to the DecentBridgeAdapter, making them stuck

reNFT

reNFT

14.38 USDC • Code4rena • Tendency

#58

Dec '23

Ethereum Credit Guild

Ethereum Credit Guild

626.26 USDC • 4 total findings • Code4rena • Tendency

#20

high

The userGaugeProfitIndex is not set correctly, allowing an attacker to receive rewards without waiting

high

Anyone can steal all distributed rewards

medium

There is no way to liquidate a position if it breaches maxDebtPerCollateralToken value creating bad debt.

medium

SurplusGuildMinter.getReward() is susceptible to DoS due to unbounded loop

Oct '23

Open Dollar

Open Dollar

239.76 USDC • 3 total findings • Code4rena • Tendency

#22

medium

Approved address can approve other addresses for an owner's safe

medium

SafeHandler contract doesn't have any method to call to `ODSafeManager.allowHandler()`, lead to DOS in some function

medium

Decimal Limitation in CamelotRelayer and UniV3Relayer Contract Deployment

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

1,167.23 USDC • 3 total findings • Code4rena • Tendency

#16

medium

Incorrect source address decoding in RootBridgeAgent and BranchBridgeAgent's _requiresEndpoint breaks LayerZero communication

medium

Message channels can be blocked resulting in DoS

medium

`ArbitrumBranchBridgeAgent::_performFallbackCall` Function Does Not Refund Users Their Excess Native Gas Deposit

Aug '23

Dopex

Dopex

666.81 USDC • 4 total findings • Code4rena • Tendency

#29

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

medium

The RdpxV2Core contract allows anyone to call redeem tokens even if the contract is paused.

medium

User can avoid paying high premium price by correctly timing his bond call

veRWA

veRWA

37.43 USDC • 2 total findings • Code4rena • Tendency

#42

high

Users may be forced into long lock times to be able to undelegate back to themselves.

high

Delegated votes are locked when owner lock is expired

Tangible Caviar

Tangible Caviar

330.52 USDC • Code4rena • Tendency

#31

Jul '23

Moonwell

Moonwell

88.25 USDC • 1 total finding • Code4rena • Tendency

#33

medium

Proposals which intend to send native tokens to target addresses can't be executed

May '23

DODO Margin Trading

DODO Margin Trading

95.87 USDC • 1 total finding • Sherlock • Tendency

#6

high

An Attacker Can Perform A Griefing Attack on Margin Trading Users by Exploiting the `executeOperation` Function and Using the Margin Trading Contract as the Receiver Address