https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/a153ca39-f794-4dff-b887-a302809b942e.jpg

aviggiano

Security Researcher

Helping protocols improve their invariant tests https://t.co/yr3gmVkLUg @yAcademy ZK Auditing Fellow @SecurityOak Security Researcher

Contact Me

High

Total

Medium

Total

$29.59K

Total Earnings

#295 All Time

26x

Payouts

1x

2nd Places

1x

3rd Places

4x

Top 10

All

Sherlock

Code4rena

CodeHawks

Hats Finance

Oct '23

HATs Arbitration Contracts

3,500 USDC • 1 total finding • Hats • aviggiano

low

`HATPaymentSplitterFactory.predictSplitterAddress` can predict invalid splitter addresses, which can lead to user loss of funds

Aug '23

Sparkn

0.99 USDC • 1 total finding • CodeHawks • aviggiano

#86

low

Owner can incorrectly pull funds from contests not yet expired

Jul '23

Beedle - Oracle free perpetual lending

0.21 USDC • 2 total findings • CodeHawks • aviggiano

#214

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

medium

No expiration deadline leads to losing a lot of funds

Foundry DeFi Stablecoin CodeHawks Audit Contest

16.59 USDC • 3 total findings • CodeHawks • aviggiano

#66

medium

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

medium

DSC protocol can consume stale price data or cannot operate on some EVM chains

low

Unbounded Loops Found in DSCEngine.sol can lead to DoS of liquidations

CodeHawks Escrow Contract - Competition Details

2,081.10 USDC • 4 total findings • CodeHawks • aviggiano

medium

Fee-on-transfer tokens aren't supported

medium

[H-01] Lack of emergency withdraw function when no arbiter is set

medium

Fixed `i_arbiterFee` can prevent payment

gas

Add an optional deadline parameter for dispute process

May '23

Chainlink Cross-Chain Services: CCIP and ARM Network

2,094.7 USDC • Code4rena • aviggiano

#18

Juicebox Buyback Delegate

16.19 USDC • Code4rena • aviggiano

#18

Raft

17,400 USDC • Hats • aviggiano

Ajna Protocol

392.87 USDC • 2 total findings • Code4rena • aviggiano

#23

high

Claiming accumulated rewards while the contract is underfunded can lead to a loss of rewards

high

Position NFT can be spammed with insignificant positions by anyone until rewards DoS

Apr '23

Caviar Private Pools

433.42 USDC • 4 total findings • Code4rena • aviggiano

#20

high

Royalty receiver can drain a private pool

medium

Royalty recipients will not get fair share of royalties

medium

`changeFeeQuote` will fail for low decimal ERC20 tokens

medium

Flash loan fee is incorrect in Private Pool contract

Mar '23

Asymmetry contest

30.95 USDC • 2 total findings • Code4rena • aviggiano

#89

high

Staking, unstaking and rebalanceToWeight can be sandwiched (Mainly rETH deposit )

medium

Residual ETH unreachable and unuitilized in SafEth.sol

Lodestar Finance

527.7 USDC • Hats • aviggiano

Jan '23

Biconomy - Smart Contract Wallet contest

26.26 USDC • 1 total finding • Code4rena • aviggiano

#56

high

Attacker can gain control of counterfactual wallet

Dec '22

GoGoPool contest

1,687.72 USDC • 1 total finding • Code4rena • aviggiano

#18

medium

TokenggAVAX: maxDeposit and maxMint return wrong value when contract is paused

Caviar contest

57.15 USDC • 1 total finding • Code4rena • aviggiano

#39

high

First depositor can break minting of shares

Tigris Trade contest

134.51 USDC • 2 total findings • Code4rena • aviggiano

#47

high

Incorrect Assumption of Stablecoin Market Stability

medium

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

prePO contest

210.78 USDC • 1 total finding • Code4rena • aviggiano

#26

high

A whale user is able to cause freeze of funds of other users by bypassing withdraw limit

Escher contest

50.22 USDC • 2 total findings • Code4rena • aviggiano

#52

high

`saleReceiver` and `feeReceiver` can steal refunds after sale has ended

medium

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

Nov '22

Opyn Crab Netting

45.82 USDC • 1 total finding • Sherlock • aviggiano

#20

high

`CrabNetting.depositAuction` and `CrabNetting.withdrawAuction` can be frontrun with `CrabNetting.checkOrder`, making these calls revert with "Nonce already used"

Bull v Bear

93.18 USDC • 1 total finding • Sherlock • aviggiano

#13

high

`BvbProtocol.transferPosition` does not check for null `recipient`, which may cause loss of premium + collateral and opens door to the griefing

Blur Exchange contest

89.03 USDC • 2 total findings • Code4rena • aviggiano

#25

high

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

medium

Yul `call` return value not checked

LooksRare Aggregator contest

309.38 USDC • 2 total findings • Code4rena • aviggiano

#11

medium

call opcode's return value not checked.

medium

Public to all funds escape

SIZE contest

65.42 USDC • Code4rena • aviggiano

#30

Oct '22

Blur Exchange contest

114.82 USDC • 2 total findings • Code4rena • aviggiano

#20

high

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

medium

Yul `call` return value not checked

Sep '22

Art Gobblers contest

123.86 USDC • Code4rena • aviggiano

#19

Aug '22

Olympus DAO contest

86.89 USDC • Code4rena • aviggiano

#78