https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_2.png

ak1

Security Researcher

Contact Me

High

26

Total

Medium

4

Solo

42

Total

$37.77K

Total Earnings

#222 All Time

64x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

regular

13x

Top 10

All

Sherlock

Code4rena

CodeHawks

Jan '25

Aave v3.3

Aave v3.3

97.21 USDC • Sherlock • ak1

#80

Jul '24

TraitForge

TraitForge

0 USDC • 1 total finding • Code4rena • ak1

#89

medium

Pause and unpause functions are inaccessible

LoopFi

LoopFi

2.09 USDC • 1 total finding • Code4rena • ak1

#54

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

Apr '24

Renzo

Renzo

2.7 USDC • 2 total findings • Code4rena • ak1

#51

high

Incorrect withdraw queue balance in TVL calculation

medium

Withdrawals and Claims are meant to be pausable, but it is not possible in practice

NOYA

NOYA

35.02 USDC + NOYA stars • 3 total findings • Code4rena • ak1

#70

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

medium

The total deposit amount limit in `AccountingManager.sol` can be bypassed

medium

`AccountingManager` contract's `previewDeposit`, `previewMint`, `previewWithdraw`, and `previewRedeem` functions are not compliant with EIP-4626 standard

Dec '23

The Standard

The Standard

0.08 USDC • 2 total findings • CodeHawks • ak1

#101

high

Rewards can be drained because of lack of access control

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

Oct '23

NextGen

NextGen

0 USDC • 1 total finding • Code4rena • ak1

#115

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Steadefi

Steadefi

135.80 USDC • 2 total findings • CodeHawks • ak1

#25

low

A bad price can be delivered in ChainlinkARBOracle

low

GMXOracle.sol#L280: function `getLpTokenAmount` icorrectly assumes that the returned price is in 18 decimal places. But it is 30 decimal places.

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

2,219.54 USDC • Code4rena • ak1

#22

Dopex

Dopex

499.11 USDC • 3 total findings • Code4rena • ak1

#39

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

medium

`sync` function in `RdpxV2Core.sol` should be called in multiple scenarios to account for the balance changes that occurs

medium

The RdpxV2Core contract allows anyone to call redeem tokens even if the contract is paused.

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

64.31 USDC • 3 total findings • CodeHawks • ak1

#58

high

Lender contract can be drained by re-entrancy in `repay`

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

Fee on transfer tokens will cause users to lose funds

Amphora Protocol

Amphora Protocol

3,919.42 USDC • 2 total findings • Code4rena • ak1

#7

high

Rounding error in `WUSDA` can result in loss of user funds, especially when manipulated by an attacker

high

Reentrancy issue with the 'withdraw' method of USDC. All tokens could be drained.

Tapioca DAO

Tapioca DAO

117.5 USDC • 1 total finding • Code4rena • ak1

#74

medium

Incorrect `eligibleAmount` for `AirdropBroker` Phase 3

Jun '23

GLIF

GLIF

413.74 USDC • Sherlock • ak1

#11

Findings not publicly available for private contests.

Apr '23

Teller

Teller

0.95 USDC • 1 total finding • Sherlock • ak1

#51

medium

CollateralEscrowV1.sol: depositAsset is not considered with collateral that would charge fee on transfer

Frankencoin

Frankencoin

22.67 USDC • 1 total finding • Code4rena • ak1

#65

medium

function `restructureCapTable()` in Equity.sol not functioning as expected

Mar '23

Asymmetry contest

Asymmetry contest

13.13 USDC • Code4rena • ak1

#110

Neo Tokyo contest

Neo Tokyo contest

154.74 USDC • 1 total finding • Code4rena • ak1

#18

high

Underflow of `lpPosition.points` during withdrawLP causes huge reward minting

Feb '23

Surge

Surge

3.65 USDC • 1 total finding • Sherlock • ak1

#22

high

pool.sol : First depositor can influence on the share value of the other depositor who may face truncation issue.

OlympusDAO

OlympusDAO

114.76 USDC • 1 total finding • Sherlock • ak1

#28

high

SingleSidedLiquidityVault.sol : `_withdrawUpdateRewardState` is not updating the `cachedUserRewards` correctly.

OpenQ

OpenQ

12.03 USDC • 2 total findings • Sherlock • ak1

#47

high

`refundDeposit` will not work when `deposits` array grows bigger or deliberately increased to huge value.

medium

`setPayoutScheduleFixed` and `setPayoutSchedule` are not using the correct array length value in the `for` loop

Jan '23

Cooler

Cooler

206.59 USDC • 2 total findings • Sherlock • ak1

#19

high

unsafe ERC20 operations.

medium

repay business logic should handle the case if the repaid amount is greater than loan amount.

Notional Update

Notional Update

680.01 USDC • 2 total findings • Sherlock • ak1

#4

medium

Boosted3TokenPoolUtils.sol : `_validateSpotPrice` function is not validating the price value from getOraclePrice

medium

Boosted3TokenPoolUtils.sol : _redeem - updating the `totalBPTHeld , totalStrategyTokenGlobal` after `_unstakeAndExitPool` is not safe

Dec '22

Papr contest

Papr contest

43.54 USDC • Code4rena • ak1

#26

GoGoPool contest

GoGoPool contest

2,286.97 USDC • 4 total findings • Code4rena • ak1

#9

high

Inflation of ggAVAX share price by first depositor

high

Hijacking of node operators minipool causes loss of staked funds

medium

Bypass `whenNotPaused` modifier

medium

RewardsPool.sol : It is safe to have the startRewardsCycle with WhenNotPaused modifier

Caviar contest

Caviar contest

180.83 USDC • 2 total findings • Code4rena • ak1

#29

high

First depositor can break minting of shares

medium

Pair price may be manipulated by direct transfers

Rain

Rain

447.17 USDC • Sherlock • ak1

#7

Findings not publicly available for private contests.

Tigris Trade contest

Tigris Trade contest

13.76 USDC • 1 total finding • Code4rena • ak1

#61

medium

`_handleDeposit` and `_handleWithdraw` do not account for tokens with decimals higher than 18

prePO contest

prePO contest

530.45 USDC • 1 total finding • Code4rena • ak1

#14

medium

Frontrunning for unallowed minting of Short and Long tokens

Nov '22

Isomorph

Isomorph

1,526.52 USDC • 3 total findings • Sherlock • ak1

#7

high

withdrawFromGauge : anyone can calll with value NFT id and take away funds

medium

increaseCollateralAmount : User is not allowed to increase collateral freely.

medium

DepositReceipt_Base.sol#L21 : HEARTBEAT_TIME gap is too huge

Buffer Finance

Buffer Finance

6.52 USDC • 1 total finding • Sherlock • ak1

#12

medium

`transfer` call - return type is not validated.

Bull v Bear

Bull v Bear

811.92 USDC • 2 total findings • Sherlock • ak1

gold

high

Settle contract: bull can abuse the safeTransferfrom even if there is 'try' 'cath'.

high

`withdrawToken` can be re-entered

DODO

DODO

4,058.47 USDC • 1 total finding • Sherlock • ak1

#7

medium

Use of `transfer` function to send fund may not work and fund can stuck.

Sense

Sense

11,897.55 USDC • 1 total finding • Sherlock • ak1

#4

high

Public vault : Initial depositor can manipulate the price per share value and future depositors are forced to deposit huge value in vault.

Oct '22

Illuminate

Illuminate

174.70 USDC • 2 total findings • Sherlock • ak1

#22

high

Inadequate access restrictions for Redeem functions in Redeemer.sol

medium

Redeemer.sol#L168 : setFee never be called .

Astaria

Astaria

27.60 USDC • 2 total findings • Sherlock • ak1

#29

medium

Public vault : Initial depositor can take unfair advantage by depositing large amount. 1 wei share attack

medium

LienToken.sol#L594 : _payment is taking all. It is not refunding the excess amount back to user.

NFTPort

NFTPort

252.99 USDC • 2 total findings • Sherlock • ak1

#8

medium

Factory.sol : Issue with arbitrary data as signature in signature based call and deploy methods.

medium

NFTCollection.sol : Lack of validation for runtime configuration when initialize is dangerous.

Union Finance

Union Finance

1,176.83 USDC • 1 total finding • Sherlock • ak1

#9

medium

UserManager.sol#L438-L466 : getFrozenInfo could revert due to out of gas when the vouchees array size is large

Mycelium

Mycelium

552.11 USDC • 2 total findings • Sherlock • ak1

#4

high

an early user/attacker can manipulate the myLink share price take an unfair share of future users' deposits

medium

AaveV2Plugin.sol#L44 : _deposit will revert when aave lending pool is paused.

Sep '22

Knox Finance

Knox Finance

20.77 USDC • 1 total finding • Sherlock • ak1

#12

medium

PricerInternal.sol#L49 : The price data returned from `_latestAnswer64x64` may not be a updated one (may not be a latest data)

VTVL contest

VTVL contest

60.78 USDC • 1 total finding • Code4rena • ak1

#44

medium

not able to create claim

Art Gobblers contest

Art Gobblers contest

55.2 USDC • Code4rena • ak1

#21

Harpie

Harpie

1,650.26 USDC • 2 total findings • Sherlock • ak1

silver

medium

reduceERC721Fee function can not set fee when the NFT token ID is more than type(uint128).max

medium

fee validation check is missing in Transfer.sol

Y2k Finance contest

Y2k Finance contest

253.02 USDC • 2 total findings • Code4rena • ak1

#26

medium

It is possible that receiver and treasury can receive nothing when calling `withdraw` function due to division being performed before multiplication

medium

Different Oracle issues can return outdated prices

Notional

Notional

568.40 USDC • 2 total findings • Sherlock • ak1

#11

medium

oracle : latestRoundData will not tell the latest price feed data.

medium

TwoTokenPoolMixin.sol : the token's decimals could not be same. Calculation based on token decimal will not give correct result.

FEI and TRIBE Redemption contest

FEI and TRIBE Redemption contest

33.58 USDC • Code4rena • ak1

#14

Canto Dex Oracle contest

Canto Dex Oracle contest

39.22 CANTO • Code4rena • ak1

#12

Nouns Builder contest

Nouns Builder contest

131.45 USDC • 1 total finding • Code4rena • ak1

#69

medium

Proposals can be bricked and Auctions stalled by bad settings

Aug '22

Olympus DAO contest

Olympus DAO contest

65.34 USDC • 1 total finding • Code4rena • ak1

#80

medium

[NAZ-M1] Chainlink's `latestRoundData` Might Return Stale Results

Nouns DAO contest

Nouns DAO contest

16.66 USDC • Code4rena • ak1

#44

FIAT DAO veFDT contest

FIAT DAO veFDT contest

1,128.14 USDC • 2 total findings • Code4rena • ak1

#4

medium

Inconsistent logic of increase unlock time to the expired locks

medium

`increaseUnlockTime` missing `_checkpoint` for delegated values

Fraxlend (Frax Finance) contest

Fraxlend (Frax Finance) contest

67 USDC • Code4rena • ak1

#56

Mimo August 2022 contest

Mimo August 2022 contest

74.55 USDC • Code4rena • ak1

#37

Rigor Protocol contest

Rigor Protocol contest

62.35 USDC • Code4rena • ak1

#64

Jul '22

Axelar Network v2 contest

Axelar Network v2 contest

31.22 USDC • Code4rena • ak1

#47

Golom contest

Golom contest

246.06 USDC • Code4rena • ak1

#48

Yield Witch v2 contest

Yield Witch v2 contest

95.5 USDC • Code4rena • ak1

#11

Swivel v3 contest

Swivel v3 contest

44.26 USDC • Code4rena • ak1

#56

ENS contest

ENS contest

39.86 USDC • Code4rena • ak1

#70

Fractional v2 contest

Fractional v2 contest

143.24 USDC • 1 total finding • Code4rena • ak1

#54

high

```migrateFractions``` may be called more than once by the same user which may lead to loss of tokens for other users

Jun '22

Putty contest

Putty contest

21.17 USDC • Code4rena • ak1

#86

Yieldy contest

Yieldy contest

53.16 USDC • Code4rena • ak1

#63

Illuminate contest

Illuminate contest

63.94 USDC • Code4rena • ak1

#56

Canto contest

Canto contest

103.77 USDC • Code4rena • ak1

#52