https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/1c2ee1eb-2276-439b-af18-f4b583a830ce.png

TessKimy

Security Researcher

contract DemoreXTess is SR { bool public DMsOpen; constructor() { DMsOpen = true; } }

Contact Me

High

20

Total

Medium

31

Total

$35.54K

Total Earnings

#235 All Time

27x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

regular

17x

Top 10

All

Sherlock

Code4rena

Cantina

CodeHawks

Mar '25

reserve-index-dtfs-solana

reserve-index-dtfs-solana

3,873.81 USDC • 4 total findings • Cantina • DemoreXTess

#4

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Feb '25

Usual Labs

Usual Labs

6,142.70 USDC • Sherlock • TessKimy

silver
Yieldoor

Yieldoor

25.21 USDC • 2 total findings • Sherlock • TessKimy

#22

high

Incorrect position leverage calculation

medium

Secondary position is not compatible with position width <= 4 * tickSpacing

THORWallet

THORWallet

0.35 USDC • 1 total finding • Code4rena • DemoreX

#8

high

MergeTgt has no handling if TGT_TO_EXCHANGE is exceeded during the exchange period

Jan '25

Liquid Ron

Liquid Ron

0.03 USDC • 2 total findings • Code4rena • DemoreX

#10

high

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Peapods

Peapods

5,395.93 USDC • 9 total findings • Sherlock • TessKimy

#4

high

Some pod token transfers can be reverted unexpectedly

medium

Utilization rate change can be sandwiched in lending vault for profit

medium

Incorrect calculation of vault utilization value may cause loss of funds for the lending vault users in bad debt scenario

medium

Incorrect `minAnswer` check doesn't protect the protocol from massive price drops

medium

Malicious liquidator can intentionally leave dust amount of collateral and won't trigger bad debt handling

medium

Transaction may revert unexpectedly due to missing allowance for the lending pair asset

medium

Last position's liquidation price is incorrectly calculated

medium

All the burn and mint functions are impacted from incorrect _update handling if there is a fee

medium

aspToken price is incorrectly calculated when `hasSelfLendingPod` = true

Beraborrow

Beraborrow

6,080.22 USDC • Sherlock • TessKimy

#4

Findings not publicly available for private contests.

Aave v3.3

Aave v3.3

1,239.95 USDC • Sherlock • TessKimy

#28

Dec '24

Idle Finance Credit Vaults

Idle Finance Credit Vaults

1,142.76 USDC • Sherlock • TessKimy

#5

Findings not publicly available for private contests.

Nov '24

Extra Finance

Extra Finance

575.86 OP • Sherlock • TessKimy

#5

Findings not publicly available for private contests.

RuneMine by Mine Labs’

RuneMine by Mine Labs’

228.15 USDC • Sherlock • TessKimy

#6

Findings not publicly available for private contests.

Chiliz Chain System Contracts

Chiliz Chain System Contracts

2,700.04 USDC • Sherlock • TessKimy

#4

Findings not publicly available for private contests.

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • TessKimy

gold

high

Project tokens can be stolen by the attacker with frontrunning

Oct '24

Ethos Network Social Contracts

Ethos Network Social Contracts

45.37 USDC • 1 total finding • Sherlock • TessKimy

#6

medium

Compromised addresses can take action in the profile

Kleidi

Kleidi

969.09 USDC • 2 total findings • Code4rena • DemoreX

#4

medium

Wrong handling of call data check indices, forcing it sometimes to revert

medium

Gas griefing/attack via creating the proposals

Sep '24

Boost Core Incentive Protocol

Boost Core Incentive Protocol

32.19 USDC • 2 total findings • Sherlock • TessKimy

#21

high

`clawback()` function can't be called by the owner of the boost due to wrong owner checking

medium

Fee on transfer tokens are not supported in boost protocol

symbioticfi-core

symbioticfi-core

2,211.51 USDC • 1 total finding • Cantina • DemoreXTess

#9

medium

Finding not yet public.

Aug '24

ZeroLend One

ZeroLend One

948.30 USDC • 7 total findings • Sherlock • TessKimy

#14

high

Wrong conversion from liquidity shares to assets causing loss of funds

high

Interest rate is not updated correct after debt repayment, it can cause higher borrowing rate

high

Incorrect Variable Usage in Liquidation Logic Can Prevent Positions from Being Fully Liquidated

high

Borrowing rate is dropping significantly due to wrong interest rate update

high

Vault's `totalAssets()` implementation causing wrong amount of share minting

high

Liquidated positions which is borrowed from NFT position manager can still earn rewards

medium

Inflation/donation attack is possible in current Vault implementation

Fjord Token Staking

Fjord Token Staking

0.19 USDC • 1 total finding • CodeHawks • demorextess

#20

medium

[H-01] Auction tokens will be lost forever when auction ends without bids

Winnables Raffles

Winnables Raffles

515.87 USDC • 3 total findings • Sherlock • TessKimy

#5

high

All the raffle events can be cancelled by the attacker

high

Admin can't withdraw available balance due to wrong locked ETH amount

medium

In certain situations, winner can't claim his prize due to unbounded ticket count

Tadle

Tadle

17.67 USDC • 6 total findings • CodeHawks • demorextess

#87

high

TokenManager - Unlimited withdraw

high

Native token withdrawal fails until manually approved

high

Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode

medium

Unnecessary balance checks and precision issues in TokenManager::_transfer

low

[Low-01] Missing Access Control in `CapitalPool::approve()` Function Allows any User to call it to set Allowance Amount `TokenContract` to `type(uint256).max`.

low

3 `OfferStatus` are never used, and code seems to have contradicting intentions

Jul '24

TraitForge

TraitForge

48.59 USDC • 4 total findings • Code4rena • DemoreX

#56

high

The maximum number of generations is infinite

medium

There is no slippage check in the `nuke()` function.

medium

NFTs mature too slowly under default settings.

medium

Incorrect check against golden entropy value in the first two batches

Munchables

Munchables

316.71 USDC • 2 total findings • Code4rena • DemoreX

#22

high

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

medium

Users can farm on zero-tax land if the landlord locked tokens before the LandManager deployment

Biconomy: Nexus

Biconomy: Nexus

556.21 USDC • 1 total finding • CodeHawks • demorextess

#6

low

Fallback Handlers Can Be Installed with Invalid Calltype

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

0.56 USDC • 2 total findings • Sherlock • TessKimy

#62

medium

Anyone can add funds to any position

medium

No revert on failure tokens can be deposited without adding funds and can be stolen by the user

Jun '24

eBTC Zap Router

eBTC Zap Router

2,356.92 USDC • 1 total finding • Code4rena • DemoreX

#4

medium

Staking ETH incorrectly assumes revert bubbling

Apr '24

NOYA

NOYA

19.17 USDC + NOYA stars • 2 total findings • Code4rena • DemoreX

#83

high

`AccountingManager::resetMiddle` will not behave as expected

medium

Attacker can increase the length of `withdrawQueue` by withdrawing 0 amount of tokens frequently