https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/51be215b-0e4d-4f70-a1f3-67cb3426faa3.jpg

aslanbek

Security Researcher

fishing

High

23

Total

Medium

35

Total

$30.23K

Total Earnings

#269 All Time

42x

Payouts

gold

2x

1st Places

silver

1x

2nd Places

bronze

2x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Apr '25

ZKP2P V2

ZKP2P V2

672.40 OP • Sherlock • aslanbek

#5

Findings not publicly available for private contests.

Aegis.im YUSD

Aegis.im YUSD

45.94 OP • 1 total finding • Sherlock • aslanbek

#4

high

AegisMinting#approveRedeemRequest wrongly implements redemption fee

Mar '25

Symmio, Staking and Vesting

Symmio, Staking and Vesting

77.25 USDC • 3 total findings • Sherlock • aslanbek

#8

high

USDC rewards will not be distributed if `_updateRewardsStates` is triggered too often

medium

addLiquidity will revert in certain cases towards the end of the vesting period

medium

rewards will be diluted into perpetuity via regular `notifyRewardAmount` calls with 1 wei of each reward token

badger-ebtc-bsm

badger-ebtc-bsm

14.85 USDC • 1 total finding • Cantina • aslanbekaibimov

#31

high

Finding not yet public.

Feb '25

Usual Labs

Usual Labs

4,516.99 USDC • Sherlock • aslanbek

bronze
defi-app-contracts

defi-app-contracts

11.53 USDC • 1 total finding • Cantina • aslanbekaibimov

#26

high

Finding not yet public.

Jan '25

FlatMoney v2 Update

FlatMoney v2 Update

189.13 USDC • Sherlock • aslanbek

#11

Findings not publicly available for private contests.

Dec '24

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

0.00 OP • 1 total finding • Sherlock • aslanbek

#66

high

createOrder will be abused to drain all approvals

Rain - Collateral Contract V2

Rain - Collateral Contract V2

3,887.76 USDC • Sherlock • aslanbek

silver

Findings not publicly available for private contests.

Nov '24

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

736.62 USDC • Sherlock • aslanbek

#9

Resolv Core

Resolv Core

3,800 OP • Sherlock • aslanbek

gold

Findings not publicly available for private contests.

Chiliz Chain System Contracts

Chiliz Chain System Contracts

971.10 USDC • Sherlock • aslanbek

#7

Findings not publicly available for private contests.

Telcoin Update #2

Telcoin Update #2

535.91 USDC • Sherlock • aslanbek

bronze

Oct '24

Avantis v1.5: Cross-Asset Leverage

Avantis v1.5: Cross-Asset Leverage

2,052.46 OP • Sherlock • aslanbek

#10

Findings not publicly available for private contests.

Aug '24

Velar Artha PerpDEX

Velar Artha PerpDEX

873.14 USDC • 1 total finding • Sherlock • aslanbek

#6

medium

Actual funding can be lower than intended due to precision loss in `utilization`

Midas - Instant Minter/Redeemer

Midas - Instant Minter/Redeemer

295.18 USDC • 1 total finding • Sherlock • aslanbek

#10

medium

Missing storage gaps in ManageableVault's parent contracts

Winnables Raffles

Winnables Raffles

165.74 USDC • 2 total findings • Sherlock • aslanbek

#13

medium

Anyone can cancel a raffle with tickets == minTicketsThreshold, griefing all participants

medium

Admin can prevent raffle winner from claiming their reward

Sentiment V2

Sentiment V2

2.37 USDC • 1 total finding • Sherlock • aslanbek

#46

medium

SuperPool inherits Pausable and implements `togglePause`, but none of the functions are pausable

Jul '24

Kwenta Staking Rewards Upgrade

Kwenta Staking Rewards Upgrade

2,000 USDC • 1 total finding • Sherlock • aslanbek

gold

medium

USDC rewards round down to zero in `rewardPerTokenUSDC`

MakerDAO Endgame

MakerDAO Endgame

2,145.40 USDC • Sherlock • aslanbek

#39

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

181.57 USDC • 5 total findings • Sherlock • aslanbek

#19

high

Bribes are permanently stuck in BribeRewarder if there's no voters

high

Lock expiration is not properly validated in Voter#vote

medium

DoS of bribes for any pool for any period via dust bribes

medium

Anyone can `addToPosition` to any lock because `_requireOnlyOperatorOrOwnerOf` always returns `true` for any existing lock

medium

During emergency, funds can be withdrawn from a lock by the approved address or owner, instead of exclusively by owner

Jun '24

Orderly Network

Orderly Network

3,136.83 USDC • Sherlock • aslanbek

#6

Findings not publicly available for private contests.

dHEDGE

dHEDGE

1,269.95 USDC • Sherlock • aslanbek

#9

Findings not publicly available for private contests.

May '24

YOLO Games

YOLO Games

198.3 USDC • 1 total finding • Cantina • aslanbekaibimov

#14

medium

Finding not yet public.

Munchables

Munchables

0.03 USDC • 3 total findings • Code4rena • aslanbek

#14

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

high

Invalid validation allows users to unlock early

medium

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

Apr '24

Renzo

Renzo

0.41 USDC • 2 total findings • Code4rena • aslanbek

#56

high

Incorrect withdraw queue balance in TVL calculation

high

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

Mar '24

Smart-contracts

Smart-contracts

282.49 USDC • 4 total findings • Cantina • aslanbekaibimov

#24

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Amphor

Amphor

233.50 USDC • 2 total findings • Sherlock • aslanbek

#10

high

`claimAndRequestDeposit` can be used to make any user lose their deposit requests of the current epoch

medium

Users with approvals for routers may not be able to use VaultZapper

Feb '24

Rio Network

Rio Network

185.95 USDC • 2 total findings • Sherlock • aslanbek

#23

high

New epoch is not started once the current one is queued for withdrawal from EigenLayer

medium

Reward distribution can be sandwiched

Althea Liquid Infrastructure

Althea Liquid Infrastructure

106.29 USDC • 2 total findings • Code4rena • aslanbek

#22

medium

`LiquidInfrastructureERC20.sol` disapproved holders keep part of the supply, diluting approved holders revenue.

medium

Distribution can be bricked, and double claims by a few holders are possible when owner calls `LiquidInfrastructureERC20::setDistributableERC20s`

AI Arena

AI Arena

6.32 USDC • 7 total findings • Code4rena • aslanbek

#132

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

high

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

high

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

high

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

medium

Can mint NFT with the desired attributes by reverting transaction

medium

Fighter created by mintFromMergingPool can have arbitrary weight and element

Jan '24

Covalent

Covalent

580.20 USDC • 3 total findings • Sherlock • aslanbek

#4

medium

Reward distribution can be sandwiched

medium

OperationalStaking may not possess enough CQT for the last withdrawal

medium

setValidatorAddress allows exceeding the validator and delegator staking caps by 27 times

Curves

Curves

290.76 USDC • 8 total findings • Code4rena • aslanbek

#15

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

medium

Protocol and referral fee would be permanently stuck in the Curves contract when selling a token

medium

Single token purchase restriction on curve creation enables sniping

medium

A subject creator within a single block can claim holder fees without holding due to unprotected reentrancy path

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

medium

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

Truflation

Truflation

106.52 USDC • 1 total finding • Sherlock • aslanbek

#8

medium

Users retain their voting power after the lock expiration

Dec '23

The Standard

The Standard

0.16 USDC • 2 total findings • CodeHawks • aslanbek

#96

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

medium

Missing deadline check allow pending transactions to be maliciously executed

stake.link

stake.link

135.51 USDC • 1 total finding • CodeHawks • aslanbek

#17

low

WrappedTokenBridge#recoverTokens will drain the whole token balance

Ethereum Credit Guild

Ethereum Credit Guild

430.75 USDC • 1 total finding • Code4rena • aslanbek

#31

medium

ProfitManager's "creditMultiplier" calculation does not count undistributed rewards; this can cause value losses to users

Nov '23

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

5.45 USDC • 1 total finding • Code4rena • aslanbek

#29

medium

No slippage protection for Market functions

Oct '23

NextGen

NextGen

0 USDC • 1 total finding • Code4rena • aslanbek

#115

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

Ethena Labs

Ethena Labs

6.46 USDC • Code4rena • aslanbek

#39

ENS

ENS

78.89 USDC • Code4rena • aslanbek

#14

Aug '23

Sparkn

Sparkn

0.00 USDC • 1 total finding • CodeHawks • aslanbek

#93

low

If a winner is blacklisted on any of the tokens they can't receive their funds