https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_7.png

Varun_05

Security Researcher

Contact Me

High

27

Total

Medium

17

Total

$22.05K

Total Earnings

#338 All Time

19x

Payouts

gold

1x

1st Places

silver

2x

2nd Places

bronze

1x

3rd Places

All

Sherlock

Code4rena

Oct '24

Avantis v1.5: Cross-Asset Leverage

Avantis v1.5: Cross-Asset Leverage

3,031.77 OP • Sherlock • Varun_05

#8

Findings not publicly available for private contests.

Aug '24

ZeroLend One

ZeroLend One

489.28 USDC • 7 total findings • Sherlock • Varun_05

#21

high

executeMintToTreasury incorrectly deducts the treasury shares from totalSupply reserve

high

Interest rates are updated wrongly due to incorrect debt shares used.

high

In execute repay function updation of interests will be incorrect.

high

getSupplyBalance returns wrong amount of assets

high

Incorrect value of debt is accessed in executeLiquidationcall function

high

reserves state of pool in which the vault has position is not updated before accruing fees shares.

medium

assets are not withdrawn fully if allocation to that reserve is zero in reallocate function

Jul '24

Union Finance Update #2

Union Finance Update #2

2,760.02 USDC • 4 total findings • Sherlock • Varun_05

gold

high

_accrueRewards function in Comptroller.sol uses outdated value of globalTotalStaked variable.

high

Interest amount is not scaled which can cause various accounting issues.

high

In debtWriteOff function _totalStaked variable is reduced by unscaled amount.

high

In vouchFaucet value of claimedTokens[token][msg.sender] is never set.

Jun '24

Orderly Network

Orderly Network

914.70 USDC • Sherlock • Varun_05

#7

Findings not publicly available for private contests.

May '24

Tokensoft Distributor Contracts Update

Tokensoft Distributor Contracts Update

303.16 USDC • 1 total finding • Sherlock • Varun_05

silver

medium

claim function in PerAddressTrancheVestingMerkleDistributor.sol will always revert thus causing user to never claim their tokens.

Olas

Olas

11,394.18 USDC • 5 total findings • Code4rena • Varun_05

silver

high

`pointsSum.slope` Not Updated After Nominee Removal and Votes Revocation

medium

Removed nominee doesn't receive staking incentives for the epoch in which they were removed which is against the intended behaviour

medium

In retain function checkpoint nominee function is not called which can cause zero amount of tokens being retained.

medium

Unstake function reverts because of use of outdated/stale serviceIds array

medium

checkpoint function is not called before staking which can cause loss of rewards for already staked services.

Munchables

Munchables

28.81 USDC • 3 total findings • Code4rena • Varun_05

#12

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

high

Invalid validation allows users to unlock early

medium

Players can gain more NFTs benefiting from that past remainder in subsequent locks

Napier Finance - LST/LRT Integrations

Napier Finance - LST/LRT Integrations

661.36 USDC • 2 total findings • Sherlock • Varun_05

#9

medium

swapETHForYt would always revert due to a wrong check in receiveFlashLoan function.

medium

Stake limit is is updated by wrong amount for some cases.

Apr '24

TITLES Publishing Protocol

TITLES Publishing Protocol

1,407.21 USDC • 6 total findings • Sherlock • Varun_05

bronze

high

collectionReferrerShare is not given to the right referrer when tokenId is minted.

high

mintBatch mints more tokens than the amount on which the fees was applied.

high

Whenever a new work is added to a existing edition it overrites the referrers[editon] value which denies the previous referrer from fees which he should recieve.

medium

mintBatch function will revert because it tries to pay excess fees than intended which won't be present in the contract.

medium

_refundExcess implements wrong logic

medium

transferWork can change the creator of a work to different address but the mint fees is still transferred to the old address.

Zivoe

Zivoe

46.02 USDC • 2 total findings • Sherlock • Varun_05

#48

high

_totalSupply reduced by wrong amount for some cases

high

_writeCheckpoint function is called with wrong amounts for a user if some tokens have already been withdrawn.

Mar '24

vVv Vesting & Staking

vVv Vesting & Staking

26.05 USDC • Sherlock • Varun_05

#29

Zap Protocol

Zap Protocol

9.97 USDC • 1 total finding • Sherlock • Varun_05

#12

high

claim function is vulnerable to reentrancy attack

Amphor

Amphor

718.89 USDC • 2 total findings • Sherlock • Varun_05

#6

high

There is error in creating Redeem Request when owner and receiver are not same which can lead to irredeemable shares

medium

_transferTokenInAndApprove function in VaultZapper.sol checks if condition for wrong address

Feb '24

AI Arena

AI Arena

1.96 USDC • 2 total findings • Code4rena • Varun_05

#158

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

high

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

Jan '24

LooksRare YOLO

LooksRare YOLO

17.38 USDC • 1 total finding • Sherlock • Varun_05

#7

high

depositETHIntoMultipleRounds function allows depositing zero amount of eth in some rounds.

JOJO Exchange Update

JOJO Exchange Update

173.30 USDC • 1 total finding • Sherlock • Varun_05

#7

medium

A spender(operator) cannot request withdraw on behalf of the client due to a error in values

Curves

Curves

0.19 USDC • 4 total findings • Code4rena • Varun_05

#134

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

Dec '23

Ethereum Credit Guild

Ethereum Credit Guild

33.46 USDC • 2 total findings • Code4rena • Varun_05

#80

high

Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss

medium

LendingTerm::debtCeiling() can return wrong debt as the min() is evaluated incorrectly

Nov '23

Kelp DAO | rsETH

Kelp DAO | rsETH

36.03 USDC • 1 total finding • Code4rena • Varun_05

#46

high

Protocol mints less rsETH on deposit than intended