https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/462f8b51-f50d-4fb7-b198-e39aeb0e5eef.jpg

ZeroTrust

Security Researcher

Contact Me

High

3

Solo

30

Total

Medium

4

Solo

38

Total

$24.32K

Total Earnings

#324 All Time

11x

Payouts

silver

2x

2nd Places

bronze

2x

3rd Places

regular

8x

Top 10

All

Sherlock

Code4rena

Cantina

Jan '25

Plaza Finance

Plaza Finance

294.44 USDC • 5 total findings • Sherlock • ZeroTrust

#28

high

In the create() and redeem() functions, the lastFeeClaimTime is not updated, which leads to incorrect fee calculations.

high

The joinBalancerPool() function does not return the remaining assets to the user.

medium

bid() will result in a denial of service (DoS) attack if the bidder address is on the blacklist.

medium

In the joinBalancerAndPredeposit() function, the remaining Balancer Pool Tokens are not returned to the user.

medium

It is possible to manipulate the price of the BondToken by constructing a dexPool.

Oct '24

Mento x Good$ Integration

Mento x Good$ Integration

750 USDC • Sherlock • ZeroTrust

bronze

Sep '24

infinitypools

infinitypools

5,395.77 USDC • 1 total finding • Cantina • lian886

#10

high

Finding not yet public.

Flayer

Flayer

3,855.25 USDC • 17 total findings • Sherlock • ZeroTrust

silver

high

There is a logical error inside the ProtectedListings::adjustPosition() function, which could lead to manipulation of users’ interest.

high

There is a calculation error inside the calculateCompoundedFactor() function, causing users to overpay interest.

high

The relist() function lacks a check on listing.created, which allows borrowing money from the listing without incurring interest.

high

Due to the delay in converting token1 fees into token0 (WETH) fees in beforeSwap(), an attacker can execute a sandwich attack to gain risk-free profits.

high

InfernalRiftBelow.thresholdCross verify the wrong msg.sender

high

InfernalRiftBelow.claimRoyalties no verification msg.sender

high

Users with more than 50% of the voting rights can steal other users' tokens.

high

The shutdown can still be canceled after execute, causing users to fail to claim tokens.

high

The tokens (collectionTokens and WETH) used for initializeCollection() to create a liquidity position are permanently locked in Uniswap V4.

medium

The fee set by the setFee() function will not take effect.

medium

The unused tokens from the user’s initialization of UniswapV4‘s pool will be locked in the UniswapImplementation contract.

medium

There is a logical error in the removeFeeExemption() function.

medium

There is a calculation error inside the modifyListings() function.

medium

There is a logical error in the _distributeFees() function, resulting in an unfair distribution of fees.

medium

An attacker can block the execution of CollectionShutdown.execute

medium

In the unlockProtectedListing() function, the interest that was supposed to be distributed to LP holders was instead burned.

medium

Malicious users can exploit createListings() and liquidateProtectedListing() functions in the ProtectedListings contract to replace Listings::createListings() in order to evade paying the tax fee.”

Aug '24

zetachain-protocol

zetachain-protocol

731.05 USDC • 6 total findings • Cantina • lian886

#31

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Sentiment V2

Sentiment V2

443.81 USDC • 5 total findings • Sherlock • ZeroTrust

#19

medium

The liquidate() function requires that after liquidation, the position must be in a healthy state. This may result in certain positions never being liquidated if they cannot reach a healthy state, potentially leaving them in limbo.

medium

The getValueInEth function should include a price refresh mechanism to prevent outdated prices from causing financial losses for users.

medium

The liquidationFee should be applied to the profit from the liquidation, rather than to all the assets obtained by the liquidator.

medium

Using forceApprove instead of approve

medium

The issue regarding the missing pause functionality has not been resolved.

Jul '24

LoopFi

LoopFi

2,579.53 USDC • 11 total findings • Code4rena • lian886

#8

high

There is a calculation error in AuraVault::redeem().

high

AuraVault inherits AccessControl BUT does not call the _setupRole() function in it's constructor to set the initial roles, this leads to a complete DOS of the important claim function rendering the contract unable to claim rewards

high

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

medium

Discrepency b/w the `lastRewadTime` and the `lastAllPoolUpdate` can allow for incorrect reward distribution to pools if `registerRewardDeposit` deposits less assets

medium

The debt in EligibilityDataProvider::requiredUsdValue() needs to be converted into USD; otherwise, it is not a correct value comparison.

medium

In `PositionActionPendle::_onDecreaseLever`, `tokenOut` is implemented incorrectly.

medium

Because of the Asset:Share 1:1 Conversion, if Vault Incur a Loss, the Last User to Withdraw Will Take The Entire Loss

medium

In CDPVault::liquidatePositionBadDebt(), the calculation of `loss` is incorrect.

medium

PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.

medium

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

medium

`PositionAction.sol#onCreditFlashLoan` may have leftover tokens after conducting `leverParams.auxSwap`.

Jun '24

Notional Leveraged Vaults: Pendle PT and Vault Incentives

Notional Leveraged Vaults: Pendle PT and Vault Incentives

5,104.26 USDC • 8 total findings • Sherlock • ZeroTrust

silver

high

In the _splitWithdrawRequest() function, there exists an issue that causes both the from and to requestId to be 0

high

`EtherFiLib::_initiateWithdrawImpl` will revert because rebase tokens transfer 1-2 less wei

high

The lack of slippage protection in `EthenaLib::_sellStakedUSDe()` could lead to sandwich attacks.

high

The _redeemPT function lacks slippage protection.

high

The withdrawValue calculation in _calculateValueOfWithdrawRequest is incorrect.

medium

After a liquidator liquidates someone else’s position, it could cause a Denial of Service (DoS) when their own position also needs to be liquidated.

medium

The _getValueOfWithdrawRequest function uses different methods for selecting assets in various vaults.

medium

A failed rewardToken transfer results in a loss for the user

eBTC Zap Router

eBTC Zap Router

1,912.82 USDC • 1 total finding • Code4rena • lian886

#5

medium

Incorrect Comparison Logic in Post-Operation Checks

May '24

Elfi

Elfi

2,493.00 USDC • 10 total findings • Sherlock • ZeroTrust

bronze

high

Logical error in the _executeRedeemStakeToken function in RedeemProcess.sol

high

Logical error in the getPoolIntValue function in LpPoolQueryProcess.sol

high

The `executeUpdateLeverageRequest` function is missing the operation to update the borrowing fee

high

When a user opens a short position, there is a lack of checks on the liquidity pool, which can result in the user being unable to realize their profits if they succeed.

high

In Cross Margin mode, the user’s profit calculation is incorrect.

medium

Logical error in the processExecutionFee function GasProcess.sol

medium

Using the .call() method to refund the refundFee In processExecutionFee may result in excessive gas consumption and potential reentrancy attacks.

medium

Missing executionFee in the function `createWithdrawRequest`

medium

The check for the user’s collateralUserCap is missing params.amount in AssetsProcess::deposit()

medium

The balance.unsettledAmount is missing in the calculations for `getMaxWithdraw` and `isSubAmountAllowed` in UsdPool.sol

Apr '24

DYAD

DYAD

761.33 USDC • 4 total findings • Code4rena • lian886

#8

high

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

high

Flash loan protection mechanism can be bypassed via self-liquidations

medium

Incorrect deployment / missing contract will break functionality

Nov '23

Majora

Majora

Collaborative Audit • Sherlock • ZeroTrust