https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_5.png

Tricko

Security Researcher

Contact Me

High

25

Total

Medium

31

Total

$13.01K

Total Earnings

#471 All Time

37x

Payouts

gold

1x

1st Places

bronze

2x

3rd Places

regular

13x

Top 10

All

Sherlock

Code4rena

Aug '24

Superposition

Superposition

1,706.84 USDC • 3 total findings • Code4rena • Tricko

#10

high

Position's owed fees should allow underflow but it reverts instead, resulting in locked funds

high

`get_fee_growth_inside` in `tick.rs` should allow for `underflow`/`overflow` but doesn't

high

Parameter Misordering in Fee Collection Function Causes Denial of Service and Fee Loss

Apr '24

Zivoe

Zivoe

309.72 USDC • 1 total finding • Sherlock • Tricko

#38

high

Staking reward accrual in `ZivoeRewards` contract can be blocked.

Mar '24

RadicalxChange

RadicalxChange

1.18 USDC • 1 total finding • Sherlock • Tricko

bronze

high

Function `_cancelAllBids()` does not check if the bid being cancelled is the highest bid

Amphor

Amphor

38.91 USDC • 1 total finding • Sherlock • Tricko

#12

medium

Incorrect allowance check will make calls to VaultZapper user-related functions revert.

Feb '24

Rio Network

Rio Network

96.95 USDC • 3 total findings • Sherlock • Tricko

#26

high

Epoch is not increased when settlement is queued.

medium

Gas Limitation for ETH transfers can break compatibility with Smart Contract Wallets.

medium

depositBalanceIntoEigenLayer can be DoS.

AI Arena

AI Arena

64.43 USDC • 2 total findings • Code4rena • Tricko

#83

high

Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the `claimRewards() function `

medium

Can mint NFT with the desired attributes by reverting transaction

Jan '24

Arcadia

Arcadia

36.24 USDC • 1 total finding • Sherlock • Tricko

#8

medium

StakedStargateAM._getCurrentReward() fetches incorrect values, affecting rewards calculation.

Telcoin Platform Audit

Telcoin Platform Audit

2,353.84 USDC • 3 total findings • Sherlock • Tricko

gold

high

`CouncilMember._retrieve()` will revert due to improper use of the `_target` variable.

medium

Funds can be lost when changing stream parameters in `CouncilMember` contract.

medium

Holder of `CouncilMember` NFT can DoS the `CouncilMember` contract.

Dec '23

Revolution Protocol

Revolution Protocol

180.84 USDC • 3 total findings • Code4rena • Tricko

#35

medium

Anyone can pause AuctionHouse in _createAuction

medium

Since buyToken function has no slippage checking, users can get less tokens than expected when they buy tokens directly

medium

CultureIndex.sol#dropTopVotedPiece() - Malicious user can manipulate topVotedPiece to DoS the whole CultureIndex and AuctionHouse

Nov '23

Nouns Builder

Nouns Builder

828.43 USDC • 1 total finding • Sherlock • Tricko

#8

medium

Attacker can force pause the Auction contract.

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

1.37 USDC • 1 total finding • Code4rena • Tricko

#31

medium

No slippage protection for Market functions

Oct '23

NextGen

NextGen

0.62 USDC • 2 total findings • Code4rena • Tricko

#109

high

Attacker can reenter to mint all the collection supply

medium

Auction winner can prevent payments via `safeTransferFrom` callback

LooksRare

LooksRare

166.38 USDC • 1 total finding • Sherlock • Tricko

#8

medium

Index values selected in `_woundRequestFulfilled()` are not uniformly distributed.

The Wildcat Protocol

The Wildcat Protocol

16.66 USDC • 1 total finding • Code4rena • Tricko

#62

medium

Function WildcatMarketController.setAnnualInterestBips allows for values outside the factory range

Sep '23

Venus Prime

Venus Prime

4.37 USDC • Code4rena • Tricko

#39

Aug '23

veRWA

veRWA

36.94 USDC • 1 total finding • Code4rena • Tricko

#43

high

Voters from VotingEscrow can vote infinite times in vote_for_gauge_weights() of GaugeController

Jul '23

Chainlink Cross-Chain Contract Administration: Multi-signature Contract, Timelock and Call Proxies

Chainlink Cross-Chain Contract Administration: Multi-signature Contract, Timelock and Call Proxies

677.54 USDC • Code4rena • Tricko

#5

Jun '23

Unstoppable

Unstoppable

228.69 USDC • 1 total finding • Sherlock • Tricko

#17

high

Attacker can DoS Margin DEX by leaving bad debt

May '23

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

0.00 USDC • 2 total findings • Sherlock • Tricko

#103

high

Lack of slippage control can lead to losses during rebalancing.

high

Attacker can exploit `mintRebalancer` and `rebalance` to unbalance the USSD-DAI pool.

Footium

Footium

1.15 USDC • 2 total findings • Sherlock • Tricko

#30

medium

`claimERC20Prize` not compatible with some non-standard compliant tokens

medium

`FootiumClub`'s `safeMint` does not check if the receiving address supports ERC-721 transfers.

Apr '23

Frankencoin

Frankencoin

420.57 USDC • 2 total findings • Code4rena • Tricko

#20

medium

anchorTime() will not work properly on Optimism due to use of block.number

medium

function `restructureCapTable()` in Equity.sol not functioning as expected

Rubicon v2

Rubicon v2

1,063.71 USDC • 1 total finding • Code4rena • Tricko

#9

medium

`BathBuddy` rewards DoS

Mar '23

Asymmetry contest

Asymmetry contest

969.37 USDC • 5 total findings • Code4rena • Tricko

#7

high

An attacker can manipulate the preDepositvePrice to steal from other users.

high

`WstEth` derivative assumes a ~1=1 peg of stETH to ETH

medium

Possible DoS on `unstake()`

medium

In de-peg scenario, forcing full exit from every derivative & immediately re-entering can cause big losses for depositors

medium

Missing derivative limit and deposit availability checks will revert the whole `stake()` function

Telcoin Update

Telcoin Update

442.29 USDC • 1 total finding • Sherlock • Tricko

bronze

medium

`slash` calls can be blocked, allowing malicious users to bypass the slashing mechanism.

Feb '23

Surge

Surge

125.06 USDC • 2 total findings • Sherlock • Tricko

#15

medium

Interest accrued could be zero for tokens with small amount of decimals

medium

`approve` method can be frontrunned in some situations

Carapace

Carapace

307.35 USDC • 2 total findings • Sherlock • Tricko

#20

high

Claimable amounts not accumulated correctly in `claimUnlockedCapital` can lead to loss of funds to depositors.

high

No hard limit on protection buyers can block calls to `accruePremiumAndExpireProtections`

OpenQ

OpenQ

126.23 USDC • 2 total findings • Sherlock • Tricko

#32

high

Whitelist bypass can lead to arbitrary freeze of bounty claims.

high

Bounty claims can be blocked by early refund of NFTs.

Jan '23

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

364.2 USDC • 3 total findings • Code4rena • Tricko

#15

medium

Possible scenario for Signature Replay Attack

medium

Buyer on secondary NFT market can lose fund if they buy a NFT that is already used to claim the reward

medium

User may loose rewards if the receipt is minted after quest end time

Cooler

Cooler

31.00 USDC • 2 total findings • Sherlock • Tricko

#29

high

Use of non-standard compliant ERC20 tokens can lead to uncollateralized loans and wrong repayment values

medium

Loans can be rolled against the will of the lender by frontrunning their call to toggleRoll

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

172.14 USDC • 2 total findings • Code4rena • Tricko

#39

high

Arbitrary transactions possible due to insufficient signature validation

high

Replay attack (EIP712 signed transaction)

Dec '22

Caviar contest

Caviar contest

191.32 USDC • 2 total findings • Code4rena • Tricko

#27

high

First depositor can break minting of shares

medium

Price will not always be 18 decimals, as expected and outlined in the comments

prePO contest

prePO contest

1,273.08 USDC • 1 total finding • Code4rena • Tricko

#7

high

griefing / blocking / delaying users to withdraw

Escher contest

Escher contest

0.84 USDC • 1 total finding • Code4rena • Tricko

#70

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

PoolTogether contest

PoolTogether contest

440.59 USDC • Code4rena • Tricko

#9

Nov '22

Canto contest

Canto contest

269.94 CANTO • Code4rena • Tricko

#8

Blur Exchange contest

Blur Exchange contest

42.55 USDC • Code4rena • Tricko

#29

Oct '22

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

19.64 USDC • Code4rena • Tricko

#33