https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_2.png

VAD37

Security Researcher

Contact Me

High

41

Total

Medium

51

Total

$43.28K

Total Earnings

#208 All Time

39x

Payouts

silver

1x

2nd Places

bronze

2x

3rd Places

regular

15x

Top 10

All

Sherlock

Code4rena

Mar '25

Nudge.xyz

Nudge.xyz

0.06 USDC • 1 total finding • Code4rena • VAD37

#8

medium

Unauthorized Reallocation in `NudgeCampaign::handleReallocation` and Reward Disruption Vulnerability in `NudgeCampaign::invalidateParticipations`

Nov '24

Debita Finance V3

Debita Finance V3

244.10 USDC • 3 total findings • Sherlock • VAD37

#19

medium

Precision lost in `DebitaIncentives.claimIncentives()` will missing rewards for users with smaller lending/borrow activities

medium

Borrow Order collateral issue: previous manager of `Receipt-veNFT` still have "Manager" access to grief lender

medium

Anyone can delete same order twice will also delete other user orders

Jul '24

LoopFi

LoopFi

67.83 USDC • 1 total finding • Code4rena • VAD37

#42

medium

`PoolV3#repayCreditAccount()` use incorrect share converting function to calculate profit and loss

Jun '24

Size

Size

10,308.59 USDC • 6 total findings • Code4rena • VAD37

#5

high

Risk of Overpayment Due to Race Condition Between repay and liquidateWithReplacement Transactions

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

medium

Sandwich attack on loan fulfillment will temporarily prevent users from accessing their borrowed funds

medium

Size uses wrong source to query available liquidity on Aave, resulting in borrow and lend operations being bricked upon mainnet deployment

medium

Multicall does not work as intended

medium

LiquidateWithReplacement does not charge swap fees on the borrower

Apr '24

NOYA

NOYA

986.88 USDC + NOYA stars • 10 total findings • Code4rena • VAD37

#14

high

A Vault can steal all funds from another Vault through the Registry's flash loan contract due to insufficient access control in `Connector.sendTokensToTrustedAddress()`

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

high

`NoyaValueOracle.getValue` returns an incorrect price when a multi-token route is used

medium

CompoundConnector.sol misses unclaimed rewards in getPositionTVL, resulting in undervalued positionTVL/TVL

medium

First depositor can make subsequent depositor lose all of her or his deposit

medium

Incorrect modifier condition

medium

Stale price can be used in `getValueFromChainlinkFeed` function

medium

Balancer flashloan contract can be DOSed completely by sending 1 wei to it

medium

`depositQueue.queue` in `AccountingManager` can be flooded causing a DoS

medium

No function to claim the reward in `PancakeswapConnector`.

DYAD

DYAD

196.8 USDC • 7 total findings • Code4rena • VAD37

#58

high

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

high

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

medium

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

medium

Value of kerosene can be manipulated to force liquidate users

medium

setUnboundedKerosineVault not called during deployment, causing reverts when querying for Kerosene value after adding it as a Kerosene vault

Mar '24

Ondo Finance

Ondo Finance

8.28 USDC • Code4rena • VAD37

#17

vVv Vesting & Staking

vVv Vesting & Staking

14.86 USDC • Sherlock • VAD37

#32

Revert Lend

Revert Lend

560.21 USDC • 1 total finding • Code4rena • VAD37

#25

high

`V3Vault.sol` permit signature does not check receiving token address is USDC

Feb '24

AI Arena

AI Arena

65.83 USDC • 8 total findings • Code4rena • VAD37

#77

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

medium

Can mint NFT with the desired attributes by reverting transaction

medium

Constraints of dailyAllowanceReplenishTime and allowanceRemaining during mint() can be bypassed by using alias accounts & safeTransferFrom()

medium

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Jan '24

Salty.IO

Salty.IO

372.8 USDC • 1 total finding • Code4rena • VAD37

#38

medium

Attacker can take advantage of Chainlink price not occuring within it's 60 minute heartbeat to make PriceAggregator calls fail

Telcoin Platform Audit

Telcoin Platform Audit

371.15 USDC • 2 total findings • Sherlock • VAD37

#6

high

`StakingRewardsManager.sol` function `topUp()` does not use array index or `indices` to setup config

high

Burn `CouncilMember` NFT mixed up rewards balance of other NFT members. Causing wrong rewards to user

Truflation

Truflation

67.11 USDC • 1 total finding • Sherlock • VAD37

#10

medium

`TrufVesting` migration forget to move rewards from `VirtualStakingRewards` along to new address if user really lost their private keys

Oct '23

NextGen

NextGen

679.35 USDC • 6 total findings • Code4rena • VAD37

#18

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

high

Attacker can reenter to mint all the collection supply

high

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

medium

On a Linear or Exponential Descending Sale Model, a user that mint on the last `block.timestamp` mint at an unexpected price.

medium

The RandomizerVRF and RandomizerRNG not produce hash value.

medium

Artist signatures can be forged to impersonate the artist behind a collection

The Wildcat Protocol

The Wildcat Protocol

105 USDC • 1 total finding • Code4rena • VAD37

#45

high

Borrower can drain all funds of a sanctioned lender

Sep '23

Allo V2

Allo V2

421.87 USDC • 1 total finding • Sherlock • VAD37

#18

high

`Registry.sol` generate clone `Anchor.sol` never work. Profile owner cannot use their `Anchor` wallet

Aug '23

Livepeer Onchain Treasury Upgrade

Livepeer Onchain Treasury Upgrade

2,318.7 USDC • 1 total finding • Code4rena • VAD37

#5

high

Underflow in updateTranscoderWithFees can cause corrupted data and loss of winning tickets.

Jul '23

Tokensoft

Tokensoft

66.79 USDC • 1 total finding • Sherlock • VAD37

#15

high

Everyone can mint infinity amount of VoteToken/GovernanceToken for free

Tokemak

Tokemak

71.68 USDC • 2 total findings • Sherlock • VAD37

#47

high

`LMPVaultRouterBase` mint and deposit function unintended pulling WETH from user when using only ETH

high

Steal TOKE reward by transfering `LMPVault` token to another address

Beam

Beam

354.77 USDC • Sherlock • VAD37

bronze

Jun '23

GLIF

GLIF

1,007.76 USDC • Sherlock • VAD37

#8

Findings not publicly available for private contests.

May '23

Chainlink Cross-Chain Services: CCIP and ARM Network

Chainlink Cross-Chain Services: CCIP and ARM Network

201.79 USDC • Code4rena • VAD37

#40

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

213.61 USDC • 5 total findings • Sherlock • VAD37

#8

high

forget apply `onlyBalancer` modifier to `mintRebalancer()` in `UUSD.sol`. Allowing arbitrage attack steal entire pool and collateral when rebalancing

high

Exploitation of `getSupplyProportion()`: Using Uniswap Flashloan to force `USSDRebalancer.sol` Pool/Collateral Swap and Subsequent Fund Thefts

high

UniswapV3 Tick Position Used to Manipulate USSD/DAI Pool Price

high

`amountToBuyLeftUSD` always return 0. `USSDRebalancer.sol` cannot buy collateral tokens

medium

Chainlink oracle issues: stale, heartbeat, minAnswer price, zero price

DODO Margin Trading

DODO Margin Trading

116.10 USDC • 1 total finding • Sherlock • VAD37

silver

high

`MarginTrading.sol` Lacks Permission Check, Exposing Funds to Theft

Apr '23

Rubicon v2

Rubicon v2

604.45 USDC • 2 total findings • Code4rena • VAD37

#23

high

FeeWrapper fails to handle ETH payment refunds

medium

Use of `block.number` leads to incorrect interest calculations

Mar '23

Gitcoin

Gitcoin

736.39 USDC • Sherlock • VAD37

#4

Y2K

Y2K

1,487.95 USDC • 5 total findings • Sherlock • VAD37

#10

high

DOS `_mintShare()` using Openzeppelin ERC1155 `_mint` callback

high

`enlistInRollover()` for same user second time store the wrong index and broke roll over queue if delist right after

high

User can bypass treasury tax

high

`mintRollovers()` give wrong amount of share/assets to user

medium

Faulty set `whiteListAddress` if using same treasury address twice

Feb '23

Surge

Surge

3.65 USDC • 1 total finding • Sherlock • VAD37

#22

high

H- 1 wei ERC4626

Carapace

Carapace

282.09 USDC • 1 total finding • Sherlock • VAD37

#22

high

Claimable amount for all locked capital in a lending pool only return latest snapshot and wrong total claimable amount

Jun '22

Infinity NFT Marketplace contest

Infinity NFT Marketplace contest

446.25 USDC • 2 total findings • Code4rena • VAD37

#23

medium

Malicious governance can use `updateWethTranferGas` to steal WETH from buyers

medium

ETH mistakenly sent over with ERC20 based takeOrders and takeMultipleOneOrders calls will be lost

May '22

veToken Finance contest

veToken Finance contest

2,825.25 USDT • 4 total findings • Code4rena • VAD37

#9

medium

`VE3DRewardPool` and `VE3DLocker` adds to an unbounded array which may potentially lock all rewards in the contract

medium

`VE3DRewardPool` claim in loop depend on pausable token

medium

Unable To Get Rewards If Admin Withdraws $VE3D tokens From `VeTokenMinter` Contract

medium

Misconfiguration of Fees Incentive Might Cause Tokens To Be Stuck In `Booster` Contract

Rubicon contest

Rubicon contest

77.89 USDC • 2 total findings • Code4rena • VAD37

#71

high

First depositor can break minting of shares

medium

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

Cally contest

Cally contest

1,483.46 USDC • 4 total findings • Code4rena • VAD37

#14

medium

Expiration calculation overflows if call option duration ≥ 195 days

medium

It shouldn’t be possible to create a vault with Cally’ own token

medium

Vault is Not Compatible with Fee Tokens and Vaults with Such Tokens Could Be Exploited

medium

User's may accidentally overpay in `buyOption()` and the excess will be paid to the vault creator

FactoryDAO contest

FactoryDAO contest

261.85 DAI • 3 total findings • Code4rena • VAD37

#25

medium

safeTransferFrom is recommended instead of transfer (1)

medium

amount requires to be updated to contract balance increase (1)

medium

ERC20 tokens with different decimals than 18 leads to loss of funds

Forgotten Runes Warrior Guild contest

Forgotten Runes Warrior Guild contest

1,211.75 USDC • 2 total findings • Code4rena • VAD37

#9

medium

Use of `.send()` May Revert if The Recipient's Fallback Function Consumes More Than 2300 Gas

medium

IERC20.transfer does not support all ERC20 token

Apr '22

xTRIBE contest

xTRIBE contest

9,535.45 USDC • 1 total finding • Code4rena • VAD37

bronze

medium

First xERC4626 deposit exploit can break share calculation

Badger Citadel contest

Badger Citadel contest

4,200.73 USDC • 3 total findings • Code4rena • VAD37

#5

high

StakedCitadel depositors can be attacked by the first depositor with depressing of vault token denomination

high

StakedCitadel doesn't use correct balance for internal accounting

high

StakedCitadel: wrong setupVesting function name

Backed Protocol contest

Backed Protocol contest

54.28 USDC • Code4rena • VAD37

#32

Mar '22

LI.FI contest

LI.FI contest

1,247.23 USDC • 3 total findings • Code4rena • VAD37

#16

medium

[WP-H7] Infinite approval to an arbitrary address can be used to steal all the funds from the contract

medium

Anyone can get swaps for free given certain conditions in `swap`.

medium

`msg.value` is Sent Multipletimes When Performing a Swap