https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/34cc17df-3427-474e-8d87-779229b855a6.jpg

bbl4de

Security Researcher

breaking contracts and blockchains

Contact Me

High

13

Total

Medium

19

Total

$38.00K

Total Earnings

#219 All Time

17x

Payouts

gold

1x

1st Places

regular

5x

Top 10

regular

9x

Top 25

All

Sherlock

Code4rena

Cantina

CodeHawks

Immunefi

Jan '25

daao-contracts

daao-contracts

37.69 USDC • 1 total finding • Cantina • bbl4de

#73

high

Finding not yet public.

Beraborrow

Beraborrow

2,026.74 USDC • Sherlock • bbl4de

#7

Findings not publicly available for private contests.

Allora v0.8.0 Update

Allora v0.8.0 Update

1,530.14 USDC • Sherlock • bbl4de

#11

Findings not publicly available for private contests.

Dec '24

Mach Finance

Mach Finance

615.38 USDC • 1 total finding • Sherlock • bbl4de

gold

medium

All oracles lack staleness checks

story-protocol

story-protocol

27,257.01 USDC • 2 total findings • Cantina • bbl4de

#11

high

Finding not yet public.

medium

Finding not yet public.

Nov '24

collar-core

collar-core

2,363.34 USDC • 1 total finding • Cantina • bbl4de

#6

medium

Finding not yet public.

Debita Finance V3

Debita Finance V3

1,390.80 USDC • 9 total findings • Sherlock • bbl4de

#6

high

`TaxTokensReceipt` used as collateral always leads to loss of funds due to custom `transferFrom()` limitations

high

Custom `transferFrom()` in `TaxTokensReceipt` makes it impossible to use limit orders for FoT tokens' NFRs

medium

`updateFunds()` function in `DebitaIncentives` contract skips potentially valid token pairs

medium

`addFunds()` can be called on an inactive lend order leading to deleted lend offer still being usable for matching

medium

When extending a loan `missingBorrowFee` will always be larger than it should be due to incorrect implementation

medium

Short loans with <5 day duration cannot be extended due to incorrect logic

medium

Incentives can be stolen by using flash loans to borrow huge amounts dominating the rewards pool

medium

Transferring FoT tokens is not supported in `Auction` leading to loss of funds for lenders due to insufficient funds for `claimCollateralAsLender()` call

medium

Calling `changePerpetual()` can result in `deleteOrder()` being called, but failling to disactivate the order.

Oct '24

mev-commit

mev-commit

443.92 USDC • 3 total findings • Cantina • bbl4de

#21

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

Jul '24

Audit Comp | Folks Finance

Audit Comp | Folks Finance

1,323 USDC • 3 total findings • Immunefi • bbl4de

#15

medium

Finding not yet public.

medium

Finding not yet public.

low

Finding not yet public.

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

27.04 USDC • 3 total findings • Sherlock • bbl4de

#51

medium

Insufficient `addToPosition` access control allows anyone to call it

medium

`harvestPositionTo()` function does not enforce the lsNFT's owner to be a contract as expected

medium

Lack of support for weird ERC20s in the MasterChef contract

Velocimeter

Velocimeter

210.25 USDC • 1 total finding • Sherlock • bbl4de

#38

medium

Incorrect `_teamEmissions` calculation in Minter

Jun '24

Vultisig

Vultisig

6.78 USDC • 1 total finding • Code4rena • bbl4de

#31

high

Vultisig whitelisting can be bypassed by anyone

May '24

LoopFi

LoopFi

71.11 USDC • 1 total finding • Code4rena • bbl4de

#8

high

Availability of deposit invariant can be bypassed

Apr '24

DYAD

DYAD

7.54 USDC • 2 total findings • Code4rena • bbl4de

#99

high

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

medium

Incorrect deployment / missing contract will break functionality

Feb '24

curvance

curvance

633.45 USDC • 2 total findings • Cantina • bbl4de

#35

high

Finding not yet public.

medium

Finding not yet public.

Jan '24

Curves

Curves

0 USDC • 1 total finding • Code4rena • bbl4de

#137

high

Unauthorized Access to setCurves Function

Dec '23

The Standard

The Standard

58.72 USDC • 2 total findings • CodeHawks • bbl4de

#34

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

medium

Incorrect calculation of amount of EURO to burn during liquidation