Banner
https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/39e5414f-d020-4eaf-8ef8-f7d2b79627dd.jpg

bin2chen

Security Researcher

Focus Web3 Security

Contact Me

High

2

Solo

169

Total

Medium

20

Solo

225

Total

$514.18K

Total Earnings

#13 All Time

120x

Payouts

gold

4x

1st Places

silver

12x

2nd Places

bronze

12x

3rd Places

All

Sherlock

Blackthorn

Code4rena

Cantina

May '25

Spine Supply Restaking

Spine Supply Restaking

Collaborative Audit • Sherlock • bin2chen

Mar '25

MoreMarkets

MoreMarkets

Collaborative Audit • Sherlock • bin2chen

Feb '25

Hyperlane Sealevel Audit - Wave 2

Hyperlane Sealevel Audit - Wave 2

Collaborative Audit • Sherlock • bin2chen

Aug '24

Perennial V2 Update #3

Perennial V2 Update #3

6,771.76 USDC • 7 total findings • Sherlock • bin2chen

bronze

high

updateExtension() lacks permission restrictions

high

Maliciously specifying a very large intent.price will result in a large gain at settlement, stealing funds

medium

settle() asyncFee is left in the KeepFactory and is not transfer to the keeper.

medium

when ReserveBase undercollateralized , Manager.orders will not be able to execute

medium

_ineligible() redemptionEligible is miscalculated

medium

cancelGroupWithSignature() lacks security checks and can maliciously cancel anyone's signature group

medium

TriggerOrder.notionalValue() Using the wrong latestPositionLocal to calculate the value causes the user to overpay fees

Jul '24

MakerDAO Endgame

MakerDAO Endgame

7,757.18 USDC • Sherlock • bin2chen

#19

Velocimeter

Velocimeter

718.97 USDC • 3 total findings • Sherlock • bin2chen

#11

high

disable_max_lock() may not be disabled

high

balanceWithLock can be extended indefinitely

high

exerciseLp/exerciseVe slippage check wrong

Jun '24

Size

Size

1,963.95 USDC • 6 total findings • Code4rena • bin2chen

#15

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

high

When `sellCreditMarket()` is called to sell credit for a specific cash amount, the protocol might receive a lower swapping fee than expected.

medium

Credit can be sold forcibly as `forSale` setting can be ignored via Compensate

medium

Size uses wrong source to query available liquidity on Aave, resulting in borrow and lend operations being bricked upon mainnet deployment

medium

Multicall does not work as intended

medium

withdraw() users may can't withdraw underlyingBorrowToken properly

Andromeda – Validator Staking ADO and Vesting ADO

Andromeda – Validator Staking ADO and Vesting ADO

36,840.74 USDC • 9 total findings • Sherlock • bin2chen

silver

high

verify_origin() previous_sender may be forged

medium

when a validator is kicked out of the bonded validator set ,unstake funds will remain in the contract

medium

execute_stake() without setting DistributionMsg::SetWithdrawAddress, partial reward may remain in the contract

medium

If WithdrawAddrEnabled = false, execute_claim() will fail

medium

if Slash Validator occurs, UNSTAKING_QUEUE's unstake amount will not be accurate

medium

is_permissioned() may underflow

medium

is_permissioned() It doesn't make sense to have permissions by default after Blacklisted expires.

medium

claim_batch() last_claimed_release_time is set too large when the balance is not enough

medium

execute_claim() possible loss of accuracy or even inability to retrieve funds

May '24

Terrace

Terrace

15,887.98 USDC • Sherlock • bin2chen

bronze

Findings not publicly available for private contests.

Apr '24

Exactly Protocol

Exactly Protocol

402.05 USDC • 1 total finding • Sherlock • bin2chen

#10

medium

borrow() maliciously let others to enter market

Panoptic

Panoptic

11,316.21 USDC • 4 total findings • Code4rena • bin2chen

silver

high

Attacker can steal all fees from SFPM in pools with ERC777 tokens.

high

`SettleLongPremium` is incorrectly implemented: premium should be deducted instead of added

medium

_updateSettlementPostBurn() may not correctly reduce s_grossPremiumLast[chunkKey]

medium

`_validatePositionList()` does not check for duplicate tokenIds, allowing attackers to bypass solvency checks

Mar '24

Optimism Fault Proofs

Optimism Fault Proofs

2,203.02 USDC • 1 total finding • Sherlock • bin2chen

#6

medium

initialize() DOS attack by very big l2BlockNumber

Perennial V2 Update #2

Perennial V2 Update #2

15,301.22 USDC • 5 total findings • Sherlock • bin2chen

silver

high

OracleVersion will not be invalid

medium

_loadContext() uses the wrong pendingGlobal.

medium

Liquidator/referrer is himself, rewards will be lost

medium

Liquidator can set up referrals for other users

medium

ChainlinkFactory will pay non-requested versions keeper fees

zkSync Era

zkSync Era

128,509.53 USDC • 3 total findings • Code4rena • bin2chen

gold

high

paymaster will refund spentOnPubdata to user

medium

L2SharedBridge l1LegacyBridge is not set

medium

Freezed Chain will never be unfreeze since `StateTransitionManager::unfreezeChain` is calling `freezeDiamond` instead of `unfreezeDiamond`.

Feb '24

Tapioca

Tapioca

11,967.40 USDC • 16 total findings • Sherlock • bin2chen

bronze

high

exerciseOptionsReceiver() Lack of Ownership Check for oTAP, Allowing Anyone to Use oTAPTokenID

high

Multiple lzCompose messages did not verify the legality of _srcChainSender

high

Unupdated totalBorrow After BigBang Liquidation

high

Unrestricted srcChainSender in USDO.executeModule()

high

SGL Liquidation Fees be Locked in Penrose

high

leverageUpReceiver() Missing Security Check for msg_.marketHelper

medium

buyCollateral() does not work properly

medium

sellCollateral() does not work properly

medium

sellCollateral() using incorrect parameters when calling getAsset

medium

sellCollateral() when sell collateral, the quantity parameter passed may too large

medium

rebalance() Permission Control Error

medium

mTOFTReceiver MSG_XCHAIN_LEND_XCHAIN_LOCK unable to execute

medium

Multiple contracts cannot be paused

medium

mTOFT when erc20==address(0) need to pay fees twice

medium

TOFT.exerciseOptionsReceiver may unable to Retrieve TapToken

medium

Balancer using safeApprove may lead to revert.

HydraDX

HydraDX

8,911.28 USDC • 1 total finding • Code4rena • bin2chen

bronze

high

An attacker possesses the capability to exhaust the entirety of liquidity within the stable swap pools by manipulating the buy function, specifically by setting the asset_in parameter equal to the asset_out parameter

Jan '24

Opus

Opus

21,284.98 USDC • Code4rena • bin2chen

gold
incentive-contracts

incentive-contracts

1,766.54 USDC • 5 total findings • Cantina • bin2chen

#12

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Notional Update #5

Notional Update #5

11,424.00 USDC • 8 total findings • Sherlock • bin2chen

silver

high

mintViaUnderlying() minImpliedRate may be invalid

high

wfCashLogic.sol returned eth is locked in the contract

medium

_isExternalLendingUnhealthy() using stale factors

medium

recover() using the standard transfer may not be able to retrieve some tokens

medium

getOracleData() maxExternalDeposit not accurate

medium

getTargetExternalLendingAmount() when targetUtilization == 0 no check whether enough externalUnderlyingAvailableForWithdraw

medium

getTargetExternalLendingAmount() targetAmount may far less than the correct value

medium

Immediate payment of REWARD_TOKEN may block most of nToken's operations

Dec '23

Olympus RBS 2.0

Olympus RBS 2.0

576.82 USDC • 2 total findings • Sherlock • bin2chen

#12

medium

getWeightedPoolTokenPrice() wrongly assumes that all of the weighted pools uses totalSupply

medium

getReservesByCategory() when useSubmodules =true and submoduleReservesSelector=bytes4(0) will revert

Nov '23

Shell Protocol

Shell Protocol

814.56 USDC • Code4rena • bin2chen

#5

Panoptic

Panoptic

4,233.75 USDC • 4 total findings • Code4rena • bin2chen

#4

high

Attacker can steal all fees from SFPM in pools with ERC777 tokens.

high

`SettleLongPremium` is incorrectly implemented: premium should be deducted instead of added

medium

_updateSettlementPostBurn() may not correctly reduce s_grossPremiumLast[chunkKey]

medium

`_validatePositionList()` does not check for duplicate tokenIds, allowing attackers to bypass solvency checks

Nouns Builder

Nouns Builder

21.94 USDC • 1 total finding • Sherlock • bin2chen

#9

high

when reservedUntilTokenId > 100 first funder loss 1% NFT

Notional Update #4

Notional Update #4

237.52 USDC • 1 total finding • Sherlock • bin2chen

#7

medium

reinvestReward() generates dust totalPoolClaim causing vault abnormal

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

902.93 USDC • 3 total findings • Code4rena • bin2chen

silver

high

Owner cannot withdraw all interest due to wrong calculation of accrued interest in WithdrwaCarry

medium

No slippage protection for Market functions

medium

Users will lose rewards when buying new tokens if they already own some tokens

GMX-Solana Blackthorn

GMX-Solana Blackthorn

Collaborative Audit • Blackthorn • bin2chen

Oct '23

Perennial V2 Update #1

Perennial V2 Update #1

4,554.31 USDC • 4 total findings • Sherlock • bin2chen

bronze

medium

MultiInvoker closableAmount the calculation logic is wrong

medium

interfaceFee Incorrectly converted uint40 when stored

medium

KeeperOracle callbacks only can set first market and user

medium

vault.claimReward() If have a market without reward token, it may cause all markets to be unable to retrieve rewards.

zkSync Era

zkSync Era

12,223.84 USDC • 3 total findings • Code4rena • bin2chen

#10

high

paymaster will refund spentOnPubdata to user

medium

L2SharedBridge l1LegacyBridge is not set

medium

Freezed Chain will never be unfreeze since `StateTransitionManager::unfreezeChain` is calling `freezeDiamond` instead of `unfreezeDiamond`.

Sep '23

Venus Prime

Venus Prime

202.85 USDC • 1 total finding • Code4rena • bin2chen

#19

high

A malicious user can avoid unfavorable score updates after alpha/multiplier changes, resulting in accrual of outsized rewards for the attacker at the expense of other users

Maia DAO - Ulysses

Maia DAO - Ulysses

1,654.47 USDC • 3 total findings • Code4rena • bin2chen

#11

high

All tokens can be stolen from `VirtualAccount` due to missing access modifier

medium

Incorrect flag results to _hasFallbackToggled always set to false on createMultipleSettlement.

medium

addGlobalToken() localAdress could be overwritten

Perennial V2 Fix Review

Perennial V2 Fix Review

2,416.66 USDC • 1 total finding • Sherlock • bin2chen

silver

medium

commitRequested() front-run malicious invalid oralce

Centrifuge

Centrifuge

1,247.37 USDC • 2 total findings • Code4rena • bin2chen

#9

medium

Cached `DOMAIN_SEPARATOR` is incorrect for tranche tokens potentially breaking permit integrations

medium

onlyCentrifugeChainOrigin() can't require msg.sender equal axelarGateway

Ondo Finance

Ondo Finance

272.76 USDC • 1 total finding • Code4rena • bin2chen

#17

medium

TWO DIFFERENT TRANSACTIONS CAN RESULT IN THE SAME `txnHash` VALUE THUS BREAKING THE APPROVAL PROCESS OF TRANSACTION MINTING

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

903.17 USDC • Code4rena • bin2chen

#34

Dopex

Dopex

364.42 USDC • 8 total findings • Code4rena • bin2chen

#46

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

high

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

high

`UniV3LiquidityAMO::recoverERC721` will cause `ERC721` tokens to be permanently locked in `rdpxV2Core`

medium

_curveSwap: getDpxEthPrice and getEthPrice is in wrong order

medium

reLP() mintokenAAmount the calculations are wrong.

medium

`sync` function in `RdpxV2Core.sol` should be called in multiple scenarios to account for the balance changes that occurs

medium

Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`

veRWA

veRWA

233.51 USDC • 2 total findings • Code4rena • bin2chen

#18

high

Delegated votes are locked when owner lock is expired

high

When adding a gauge, its initial value has to be set by an admin or all voting power towards it will be lost

PoolTogether V5: Part Deux

PoolTogether V5: Part Deux

1,416.1 USDC • 4 total findings • Code4rena • bin2chen

#6

high

`rngComplete` function should only be called by `rngAuctionRelayer`

medium

Missing `deadline` param in `swapExactAmountOut()` allowing outdated slippage and allow pending transaction to be executed unexpectedly.

medium

_computeAvailable() the calculations are wrong

medium

RngRelayAuction.rngComplete() DOS attack

Jul '23

Moonwell

Moonwell

162.72 USDC • 2 total findings • Code4rena • bin2chen

#28

medium

Proposals which intend to send native tokens to target addresses can't be executed

medium

`TemporalGovernor` can be bricked by `guardian`

Perennial V2

Perennial V2

3,854.21 USDC • 3 total findings • Sherlock • bin2chen

#5

high

fund() fee token be locked

high

settle(address(0)) global overwritten by local

medium

update() wrong privilege control

Tokemak

Tokemak

1,304.52 USDC • 8 total findings • Sherlock • bin2chen

#18

high

_claimRewards() Convex rewards may be locked in contracts

high

queueNewRewards() transferFrom number is wrong

high

updatePricingInfo() averagePrice calculations are wrong.

high

_beforeTokenTransfer() Missing call MainRewarder._updateReward

high

LMPVaultRouter duplicate transfer ETH

high

_withdraw() idleIncrease might be less

high

_performLiquidation() not working properly

medium

deposit() may overflow

PoolTogether

PoolTogether

2,311.11 USDC • 4 total findings • Code4rena • bin2chen

#7

high

Resetting delegation will result in user funds being lost forever

high

`Vault.mintYieldFee` FUNCTION CAN BE CALLED BY ANYONE TO MINT `Vault Shares` TO ANY RECIPIENT ADDRESS

medium

Loss of precision leads to undercollateralized

medium

Number of prize tiers always increases if just 1 canary prize is claimed

Tapioca DAO

Tapioca DAO

3,607.34 USDC • 17 total findings • Code4rena • bin2chen

#18

high

Collateral can be locked in BigBang contract when `debtStartPoint` is nonzero

high

Exercise option cross chain message in the (m)TapiocaOFT will always revert in the destination, losing debited funds in the source chain

high

Attacker can pass duplicated reward token addresses to steal the reward of contract `twTAP.sol`

high

Incorrect liquidation reward computation causes excess liquidator rewards to be given

high

Ability to steal user funds and increase collateral share infinitely in BigBang and Singularity

high

A user with a TapiocaOFT allowance >0 could steal all the underlying ERC20 tokens of the owner

high

Tokens can be stolen from other users who have approved Magnetar

high

twTAP.claimAndSendRewards() will claim the wrong amount for each reward token due to the use of wrong index.

high

Attacker can prevent rewards from being issued to gauges for a given epoch in TapiocaOptionBroker

medium

`totalCollateralShare` state variable not updated in `Singularity` market upon liquidation, resulting in an error on `addCollateral` with skim functionality

medium

Incorrect `eligibleAmount` for `AirdropBroker` Phase 3

medium

`extractTAP()` function can allow minting an infinite amount in one week, leading to a DoS attack in `emitForWeek()`

medium

`TapiocaOptionLiquidityProvision` causes Loss of Yield when depositing and withdrawing from Singularity - should use shares to track balances

medium

TOFT `exerciseOption` fails due to not passing `msg.value` properly

medium

`StargateStrategy#_currentBalance` calculation is incorrect and may lead to DoS

medium

oTAP::participate - Call will always revert if msg.sender is approved but not owner

medium

A portion of stargate token rewards earned by StargateStrategy are permanently locked in the contract

Bond Options

Bond Options

1,940.45 USDC • 5 total findings • Sherlock • bin2chen

bronze

high

steal funds with variable decimals of payoutToken

high

reclaim() can be executed repeatedly

medium

stake() missing set lastEpochClaimed when userBalance equal 0

medium

claimRewards() If a rewards is too small, it may block other epochs

medium

receiver can prevent exercise then force OptionToken to expire

Dinari

Dinari

109.39 USDC • 1 total finding • Sherlock • bin2chen

#8

medium

takeEscrow() possible take funds from closed orders

Jun '23

Symmetrical

Symmetrical

5,267.62 USDC • 9 total findings • Sherlock • bin2chen

#4

high

liquidatePartyA() Liquidate DOS

high

setSymbolsPrice() can use the priceSig from a long time ago

high

Liquidation missing partyNonces++

high

LibMuon Signature hash collision

high

liquidatePositionsPartyA() may underflow

medium

After the liquidation timeout, the corresponding trading is locked forever.

medium

openPosition() need notSuspended() modifier

medium

lockQuote() increaseNonce parameters do not work properly

medium

fillCloseRequest() when CANCEL_CLOSE_PENDING , missing check minAcceptableQuoteValue

Stader Labs

Stader Labs

6,286.75 USDC • 6 total findings • Code4rena • bin2chen

bronze

high

`VaultProxy` implementation can be initialized by anyone and self-destructed

medium

Owner in VaultProxy.sol is address(0)

medium

Chainlink's `latestRoundData` may return stale or incorrect result

medium

depositETHOverTargetWeight() malicious modifications poolIdArrayIndexForExcessDeposit

medium

`updatePoolAddress` functions always reverts when updating existing poolId

medium

`pause/unpause` functionnalities not implemented in many pausable contracts

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

15,783 USDC • 17 total findings • Code4rena • bin2chen

#4

high

Incorrect flow of adding liquidity in UlyssesRouter.sol

high

`UlyssesToken` asset ID accounting error

high

redeem() beforeRedeem using the wrong owner parameter

high

withdrawProtocolFees() Possible malicious or accidental withdrawal of all rewards

high

Multiple issues with decimal scaling will cause incorrect accounting of hTokens and underlying tokens

high

setWeight() Logic error

high

Rerange/rebalance should not use protocolFee as asset for adding liquidity

medium

ERC4626PartnerManager.sol mints extra `partnerGovernance` tokens to itself, resulting in over supply of governance token

medium

`UlyssesToken.setWeights(...)` can cause user loss of assets on vault deposits/withdrawals

medium

`BribesFactory::createBribeFlywheel` can be completely blocked from creating any Flywheel by a malicious actor

medium

Ulysses omnichain - addbridgeagentfactory in rootPort is not functional

medium

Removing more gauge weight than it should be while transfering ````ERC20Gauges```` token

medium

RestakeToken function is not permissionless

medium

_decrementWeightUntilFree() Possible infinite loop

medium

updatePeriod() less mint HERMES

medium

vMaia Lack of override forfeitBoost

medium

migratePartnerVault() the first vault does not work properly

Iron Bank

Iron Bank

0.03 USDC • 2 total findings • Sherlock • bin2chen

#23

medium

getPriceFromChainlink() doesn't check If Arbitrum sequencer is down in Chainlink feeds

medium

Chainlink's latestRoundData return stale or incorrect result

Chainlink Cross-Chain Services: CCIP and ARM Network

Chainlink Cross-Chain Services: CCIP and ARM Network

4,386.49 USDC • Code4rena • bin2chen

#11

Venus Protocol Isolated Pools

Venus Protocol Isolated Pools

7,106.37 USDC • 4 total findings • Code4rena • bin2chen

gold

medium

Exchange Rate can be manipulated

medium

DOS attack prevents refunding previous bid in Shortfall.sol and malicious bidder always wins the auction

medium

Potential Unjust Liquidation After Exiting Market

medium

placeBid() Possible participation in auctions that have been modified

Apr '23

EigenLayer Contest

EigenLayer Contest

1,443.93 USDC • 1 total finding • Code4rena • bin2chen

#13

high

It is impossible to slash queued withdrawals that contain a malicious strategy due to a misplacement of the ++i increment

GMX Update

GMX Update

9,423.09 USDC • 2 total findings • Sherlock • bin2chen

#4

high

swapProfitToCollateralToken() missing cancellation poolAmountAdjustment

high

decreasePosition() wrong calculation estimatedRemainingCollateralUsd

ENS Contest

ENS Contest

754.35 USDC • 1 total finding • Code4rena • bin2chen

#15

medium

Incorrect implementation of RecordParser.readKeyValue()

Frankencoin

Frankencoin

3,318.2 USDC • 7 total findings • Code4rena • bin2chen

#4

high

CHALLENGER_REWARD can be used to drain reserves and free mint

high

[H-06] Double-entrypoint collateral token allows position owner to withdraw underlying collateral without repaying ZCHF

high

Challenges can be frontrun with de-leveraging to cause lossses for challengers

medium

initializeClone() price calculation should round up

medium

need alternative ways for fund transfer in `end()` to prevent DoS

medium

POSITION LIMIT COULD BE FULLY REDUCED TO ZERO BY CLONES

medium

function `restructureCapTable()` in Equity.sol not functioning as expected

Caviar Private Pools

Caviar Private Pools

93.67 USDC • 4 total findings • Code4rena • bin2chen

#44

medium

`Factory.create`: Predictability of pool address creates multiple issues.

medium

Loss of funds for traders due to accounting error in royalty calculations

medium

Flash loan fee is incorrect in Private Pool contract

medium

EthRouter can't perform multiple changes

Rubicon v2

Rubicon v2

662.01 USDC • 4 total findings • Code4rena • bin2chen

#20

high

`RubiconMarket._buys` will not work for V1 offers due to the reversion in `cancel` method.

high

DOS of market operations with malicious offers

medium

A liquidated position possibly cannot be closed

medium

Incorrect calculations can occur when calling `Position._marketBuy` and `Position._marketSell` functions that do not include maker fee in `_fee`

Mar '23

Gitcoin

Gitcoin

606.14 USDC • Sherlock • bin2chen

#5

Notional V3

Notional V3

12,027.96 USDC • 4 total findings • Sherlock • bin2chen

silver

high

claimCOMPAndTransfer() COMP may be locked into the contract

high

_redeemMoneyMarketIfRequired() redeem too much money from market

high

repayAccountPrimeDebtAtSettlement() user lost residual cash

medium

getAccountPrimeDebtBalance() always return 0

Asymmetry contest

Asymmetry contest

102.48 USDC • 3 total findings • Code4rena • bin2chen

#49

high

A temporary issue shows in the staking functionality which leads to the users receiving less minted tokens.

high

An attacker can manipulate the preDepositvePrice to steal from other users.

high

`WstEth` derivative assumes a ~1=1 peg of stETH to ETH

Canto Identity Subprotocols contest

Canto Identity Subprotocols contest

19.87 USDC • 1 total finding • Code4rena • bin2chen

#28

medium

Bio Protocol - `tokenURI` JSON injection

Polynomial Protocol contest

Polynomial Protocol contest

1,621.84 USDC • Code4rena • bin2chen

#8

Y2K

Y2K

3,229.10 USDC • 11 total findings • Sherlock • bin2chen

silver

high

enlistInRollover() wrong set ownerToRollOverQueueIndex

high

mintDepositInQueue() queue funds may be locked

high

mintRollovers() incorrect number to _mintShares()

high

delistInRollover() disrupt the rolloverQueue order

medium

emissionsToken may be remain in the contract

medium

getLatestPrice() possible use stale price

medium

changeTreasury() Lack of check and remove old

medium

ControllerPeggedAssetV2 should use vault's own treasury

medium

triggerEndEpoch() miss check vault.totalAssets() equals 0

medium

mintRollovers() the logic of judging whether to win may wrong

medium

rolloverQueue may lead to GAS OUT risk

zkSync Era System Contracts contest

zkSync Era System Contracts contest

10,743.03 USDC • 2 total findings • Code4rena • bin2chen

bronze

medium

deploying contracts with forceDeployOnAddress will break contracts when callConstructor is false

medium

DefaultAccount#fallback lack payable

Wenwin contest

Wenwin contest

641.04 USDC • 1 total finding • Code4rena • bin2chen

#10

high

`LotteryMath.calculateNewProfit` returns wrong profit when there is no jackpot winner

Feb '23

Surge

Surge

186.65 USDC • 3 total findings • Sherlock • bin2chen

#9

high

deposit() front-run steal funds

high

liquidate() Possible loss of precision

medium

Pool may store the fee to address(0)

Hats

Hats

1,116.61 USDC • 1 total finding • Sherlock • bin2chen

#5

high

checkTransaction() can skip minThreshold limt

Derby

Derby

232.18 USDC • 4 total findings • Sherlock • bin2chen

#25

medium

addToTotalRewards() may be calculation wrong when current period rewards are not set

medium

withdrawalRequest() maybe lost funds in the first period

medium

pullFunds() break should not be used

medium

setDeltaAllocationsInt() in the blacklist revert will cause the other also can not set

Ethos Reserve contest

Ethos Reserve contest

9,600.63 USDC • 3 total findings • Code4rena • bin2chen

#4

high

Re-balancing the vault allocation may always revert when distributing profits : resulting of a massive system DOS

medium

If the strategy incurs a loss the Active Pool will stop working until the shortfall is paid out entirely

medium

_harvestCore() roi calculation error

GMX

GMX

5,296.83 USDC • 3 total findings • Sherlock • bin2chen

#8

high

createDeposit() steal wnt

high

executeWithdrawal() minLongTokenAmount/minShortTokenAmount doesn't work

high

estimateExecuteWithdrawalGasLimit() Missing included gasForSwaps

Carapace

Carapace

5,741.43 USDC • 6 total findings • Sherlock • bin2chen

silver

high

Malicious seller forced break lockCapital()

high

claimUnlockedCapital() can be repeatedly claimed

high

_calculateClaimableAmount() wrong calculate the claimable amount

high

activeProtectionIndexes OUT_OF_GAS attacks

high

requestWithdrawal() lack of refresh pool cycle before get cycle index

high

user may not be able to renewProtection() properly within protectionRenewalGracePeriodInSeconds

OpenQ

OpenQ

3,861.69 USDC • 9 total findings • Sherlock • bin2chen

#4

high

malicious expiration leads to refund failure and fund lock

high

claimTiered() steal bounty

high

ClaimBounty () If any NFT has refund, it will lead to failure to claim other bounty

high

not support token: revert on Zero Value Transfers.

high

deposits OUT_OF_GAS attacks

high

block claim bounty attacks

medium

nftDepositLimit attack

medium

fundBountyToken() cannot fund token that has been added before

medium

setPayoutScheduleFixed/setPayoutSchedule() can't resize to fewer tiers

Jan '23

Popcorn contest

Popcorn contest

4,342.78 USDC • 12 total findings • Code4rena • bin2chen

bronze

high

Anyone who uses same adapter have ability to pause it

high

Modifier VaultController._verifyCreatorOrOwner does not work as intented

high

BeefyAdapter() malicious vault owner can use malicious _beefyBooster to steal the adapter's token

medium

AdpaterBase.harvest should be called before deposit and withdraw

medium

AdapterBase should always use delegatecall to call the functions in the strategy

medium

Malicious Users Can Drain The Assets Of Vault. (Due to not being ERC4626 Complaint)

medium

The calculation of ````takeFees```` in ````Vault```` contract is incorrect

medium

`Vault.redeem` function does not use `syncFeeCheckpoint` modifier

medium

cool down time period is not properly respected for the `harvest` method

medium

VaultController() Missing call DeploymentController.nominateNewDependencyOwner()

medium

Anyone can reset fees to 0 value when Vault is deployed

medium

`Vault::takeFees` can be front run to minimize `accruedPerformanceFee`

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

188.26 USDC • 5 total findings • Code4rena • bin2chen

#23

high

Protocol fees can be withdrawn multiple times in `Erc20Quest`

medium

Possible scenario for Signature Replay Attack

medium

Funds can be stuck due to wrong order of operations

medium

Users may not claim Erc1155 rewards when the Quest has ended

medium

User may loose rewards if the receipt is minted after quest end time

Cooler

Cooler

201.56 USDC • 3 total findings • Sherlock • bin2chen

#20

high

ERC20 TRANSFERFROM RETURN VALUES NOT CHECKED

high

Lender force Loan become default

high

rollable defaults to true, which may put Lender at risk

Ondo Finance contest

Ondo Finance contest

5,956.17 USDC • 2 total findings • Code4rena • bin2chen

bronze

medium

`CashManager.setEpochDuration` functions has inconsistent output.

medium

setPendingRedemptionBalance() may cause the user's cash token to be lost

Astaria contest

Astaria contest

3,097.92 USDC • 10 total findings • Code4rena • bin2chen

#9

high

Attacker can take loan for Victim

high

Lack of StrategyDetailsParam.vault validation allows the borrower to steal all the funds from the vault

high

Improper validations in Clearinghouse. possible to lock collateral NFT in contract.

high

ERC4626Cloned deposit and mint logic differ on first deposit

medium

minDepositAmount is unnecessarily high, can price out many users

medium

For a public vault, minimum deposit requirement that is enforced by `ERC4626Cloned.deposit` function can be bypassed by `ERC4626Cloned.mint` function or vice versa when share price does not equal one

medium

LienToken.transferFrom There is a possibility of malicious attack

medium

settleAuction() Check for status errors

medium

_buyoutLien() does not properly validate the liquidationInitialAsk

medium

LienToken._payment function increases users debt

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

48.98 USDC • 2 total findings • Code4rena • bin2chen

#52

high

Arbitrary transactions possible due to insufficient signature validation

high

Attacker can gain control of counterfactual wallet

Dec '22

Papr contest

Papr contest

2,093.84 USDC • 4 total findings • Code4rena • bin2chen

#10

high

Borrowers may earn auction proceeds without filling the debt shortfall

medium

PaprController.buyAndReduceDebt: msg.sender can lose paper by paying the debt twice

medium

`PaprController` pays swap fee in `buyAndReduceDebt`, not user

medium

Disabled NFT collateral should not be used to mint debt

GoGoPool contest

GoGoPool contest

1,874.45 USDC • 7 total findings • Code4rena • bin2chen

#13

high

MinipoolManager: node operator can avoid being slashed

high

Hijacking of node operators minipool causes loss of staked funds

high

ProtocolDAO lacks a method to take out GGP

medium

MinipoolManager: recordStakingError function does not decrease minipoolCount leading to too high GGP rewards for staker

medium

MultisigManager may not be able to add a valid Multisig

medium

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

medium

Coding logic of the contract upgrading renders upgrading contracts impractical

Forgeries contest

Forgeries contest

19.22 USDC • 1 total finding • Code4rena • bin2chen

#25

high

Admin does not have to wait to call `lastResortTimelockOwnerClaimNFT()`

Tigris Trade contest

Tigris Trade contest

1,643.49 USDC • 5 total findings • Code4rena • bin2chen

#13

high

Users can bypass the `maxWinPercent` limit using a partially closing

high

Not enough margin pulled or burned from user when adding to a position

medium

StopLoss/TakeProfit should be validated again for the new price in `Trading.executeLimitOrder()`

medium

Governance NFT holder, whose NFT was minted before `Trading._handleOpenFees` function is called, can lose deserved rewards after `Trading._handleOpenFees` function is called

medium

Chainlink price feed is not sufficiently validated and can return stale price

prePO contest

prePO contest

210.78 USDC • 1 total finding • Code4rena • bin2chen

#26

high

A whale user is able to cause freeze of funds of other users by bypassing withdraw limit

Escher contest

Escher contest

4,376.54 USDC • 5 total findings • Code4rena • bin2chen

gold

high

selfdestruct may cause the funds to be lost

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

high

`saleReceiver` and `feeReceiver` can steal refunds after sale has ended

medium

Sale contracts can be bricked if any other minter mints a token with an id that overlaps the sale

medium

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

NounsDAO

NounsDAO

349.49 USDC • 1 total finding • Sherlock • bin2chen

#5

medium

cancel() maybe can't execute

Nov '22

Opyn Crab Netting

Opyn Crab Netting

685.68 USDC • 2 total findings • Sherlock • bin2chen

#7

high

checkOrder() anyone can cancel other people's order

high

Users in usdc's blocklist will block CrabNetting running.

Isomorph

Isomorph

525.43 USDC • 3 total findings • Sherlock • bin2chen

#12

high

partialWithdrawFromGauge() can steal other people's token

medium

_updateVirtualPrice() virtualPrice smaller than expected

medium

increaseCollateralAmount() may be unable to prevent liquidation

Redacted Cartel contest

Redacted Cartel contest

6,166.83 USDC • 4 total findings • Code4rena • bin2chen

silver

high

Malicious Users Can Drain The Assets Of Auto Compound Vault

high

fee loss in AutoPxGmx and AutoPxGlp and reward loss in AutoPxGlp by calling PirexRewards.claim(pxGmx/pxGpl, AutoPx*) directly which transfers rewards to AutoPx* pool without compound logic get executed and fee calculation logic and pxGmx wouldn't be exe

medium

Deposit Feature Of The Vault Will Break If Update To A New Platform

medium

PirexGmx#migrateReward() may cause users to lose Reward.

Buffer Finance

Buffer Finance

1,565.33 USDC • 3 total findings • Sherlock • bin2chen

#5

high

resolveQueuedTrades() may use the malicious price

medium

UNSAFE USAGE OF ERC20 TRANSFER AND TRANSFERFROM

medium

resolveQueuedTrades() ERC777 re-enter to steal funds

Bull v Bear

Bull v Bear

746.62 USDC • 4 total findings • Sherlock • bin2chen

silver

high

reclaimContract() malicious causes token loss

high

transferPosition() cause the order to rematch

high

withdrawToken() Malicious users can let other user's NFT be locked

medium

withdrawToken() May not be able to retrieve NFT

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

66.5 USDC • 3 total findings • Code4rena • bin2chen

#47

high

Giant pools can be drained due to weak vault authenticity check

medium

Incorrect implementation of the ETHPoolLPFactory.sol#rotateLPTokens let user stakes ETH more than maxStakingAmountPerValidator in StakingFundsVault, and DOS the stake function in LiquidStakingManager

medium

Giant pools cannot receive ETH from vaults

Blur Exchange contest

Blur Exchange contest

1,016.92 USDC • 2 total findings • Code4rena • bin2chen

#5

high

Direct theft of buyers ETH funds.

medium

Pool designed to be upgradeable but does not set owner, making it unupgradeable

FrankenDAO

FrankenDAO

203.72 USDC • 1 total finding • Sherlock • bin2chen

#13

high

stake() No limit _unlockTime , can get huge votes

SIZE contest

SIZE contest

153.1 USDC • 1 total finding • Code4rena • bin2chen

#24

high

Attacker can steal any funds in the contract by state confusion (no preconditions)

Debt DAO contest

Debt DAO contest

8,432.71 USDC • 4 total findings • Code4rena • bin2chen

bronze

high

Borrower can close a credit without repaying debt

high

Borrower can craft a borrow that cannot be liquidated, even by arbiter. 

medium

Whitelisted functions aren't scoped to revenue contracts and may lead to unnoticed calls due to selector clashing

medium

Mistakenly sent eth could be locked

Oct '22

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

1,863.05 USDC • 1 total finding • Code4rena • bin2chen

#4

medium

Pledges that contain delisted tokens can be extended to continue using delisted reward tokens

Inverse Finance contest

Inverse Finance contest

0.38 USDC • 1 total finding • Code4rena • bin2chen

#50

medium

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Illuminate

Illuminate

429.35 USDC • 4 total findings • Sherlock • bin2chen

#16

high

withdraw() Logical problem

medium

setPrincipal() for Notional alway fail

medium

Redeemer.sol can't set new fee

medium

mint() wrong pass parameter

Astaria

Astaria

2,358.19 USDC • 8 total findings • Sherlock • bin2chen

#6

high

WithdrawProxy allows anyone to deposit/mint, resulting in malicious enlargement of shares.

high

cancelAuction() no refund of the final bid amount

high

commitToLiens() Execution always fails

high

buyoutLien() will cause the vault to fail to processEpoch()

high

Auction#reservePrice maybe less than required

medium

createBid() newDuration miscalculation

medium

new loans "max duration" is not restricted

medium

_payment() maybe overpayment

NFTPort

NFTPort

3,119.91 USDC • 2 total findings • Sherlock • bin2chen

silver

medium

call() signature replay attack

medium

registerTemplate() can't handle properly when ITemplate version is 0

Holograph contest

Holograph contest

2,594.44 USDC • 1 total finding • Code4rena • bin2chen

#6

medium

ApprovalAll event is missing parameters

3xcalibur contest

3xcalibur contest

51.4 USDC • Code4rena • bin2chen

#30

Union Finance

Union Finance

1,494.58 USDC • 2 total findings • Sherlock • bin2chen

#7

medium

removeAdapter/removeToken need to cancel approve

medium

updateTrust() vouchers also need check maxVouchers

Merit Circle

Merit Circle

800.30 USDC • 3 total findings • Sherlock • bin2chen

bronze

high

wrong "unit" setting

medium

contract unavailability attack

medium

Improper escrow configuration can lead to loss of Rewards

Blur Exchange contest

Blur Exchange contest

50.48 USDC • 2 total findings • Code4rena • bin2chen

#22

high

Direct theft of buyers ETH funds.

medium

Pool designed to be upgradeable but does not set owner, making it unupgradeable

Mycelium

Mycelium

315.36 USDC • 2 total findings • Sherlock • bin2chen

#5

medium

addPlugin() does not limit duplicate plugins, which can lead to double balances

medium

transfer any amout LINK before first deposit() will result in any subsequent deposits getting shares equal to zero

Sep '22

Knox Finance

Knox Finance

408.66 USDC • 1 total finding • Sherlock • bin2chen

#11

medium

epochsByBuyer() count error

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

1,941.03 USDC • 1 total finding • Code4rena • bin2chen

#4

high

Wrong accounting logic when syncRewards() is called within beforeWithdraw makes withdrawals impossible

VTVL contest

VTVL contest

408.52 USDC • 2 total findings • Code4rena • bin2chen

#16

high

Permanent freeze of vested tokens due to overflow in _baseVestedAmount

medium

Supply cap of VariableSupplyERC20Token is not properly enforced

Art Gobblers contest

Art Gobblers contest

2,383.77 USDC • 2 total findings • Code4rena • bin2chen

#11

high

Can Recover Gobblers Burnt In Legendary Mint

medium

The reveal process could brick if `randProvider` stops working

Y2k Finance contest

Y2k Finance contest

300.01 USDC • 1 total finding • Code4rena • bin2chen

#25

high

Depeg event can happen at incorrect price

PartyDAO contest

PartyDAO contest

2,015.33 USDC • 1 total finding • Code4rena • bin2chen

#7

medium

The settledPrice maybe exceed maximumPrice

Nouns Builder contest

Nouns Builder contest

876.33 USDC • 6 total findings • Code4rena • bin2chen

#24

high

Multiple vote checkpoints per block will lead to incorrect vote accounting

medium

Delegation should not be allowed to address(0)

medium

Truncation in casting can lead to a founder receiving all the base tokens

medium

The quorum votes calculations don't take into account burned tokens

medium

A proposal can pass with 0 votes in favor at early DAO stages

medium

Index out of bounds error when properties length is more than attributes length breaks minting

Aug '22

Sentiment

Sentiment

219.53 USDC • 1 total finding • Sherlock • bin2chen

#22

medium

UniV2Controller.sol miss the legal detection of tokensIn

Olympus DAO contest

Olympus DAO contest

1,769.18 USDC • 1 total finding • Code4rena • bin2chen

#15

high

Anyone can pass any proposal alone before first `VOTES` are minted

Nouns DAO contest

Nouns DAO contest

1,683.29 USDC • 1 total finding • Code4rena • bin2chen

#7

high

ERC721Checkpointable: delegateBySig allows the user to vote to address 0, which causes the user to permanently lose his vote and cannot transfer his NFT.

FIAT DAO veFDT contest

FIAT DAO veFDT contest

107.62 USDC • 1 total finding • Code4rena • bin2chen

#33

medium

ERROR IN UPDATING **_checkpoint** IN THE **increaseUnlockTime** FUNCTION

Fraxlend (Frax Finance) contest

Fraxlend (Frax Finance) contest

50.07 USDC • Code4rena • bin2chen

#57

Foundation Drop contest

Foundation Drop contest

1,757.37 USDC • 1 total finding • Code4rena • bin2chen

#6

medium

Forget to check "Some manifolds contracts of ERC-2981 return (address(this), 0) when royalties are not defined" in 3rd priority - MarketFees.sol

Mimo August 2022 contest

Mimo August 2022 contest

3,489.26 USDC • 1 total finding • Code4rena • bin2chen

#5

high

MIMOEmptyVault.sol executeOperation() does not transfer the Vault leftover assets to the owner, it is locked in the MIMOEmptyVault

Rigor Protocol contest

Rigor Protocol contest

301.12 USDC • 2 total findings • Code4rena • bin2chen

#28

high

Builder can call `Community.escrow` again to reduce debt further using same signatures

high

Project funds can be drained by reusing signatures, in some cases

Jul '22

Golom contest

Golom contest

39.84 USDC • Code4rena • bin2chen

#83

Swivel v3 contest

Swivel v3 contest

151.17 USDC • 1 total finding • Code4rena • bin2chen

#21

medium

Interface definition error

ENS contest

ENS contest

534.36 USDC • 1 total finding • Code4rena • bin2chen

#18

medium

Users can create extra ENS records at no cost

Fractional v2 contest

Fractional v2 contest

554.12 USDC • 2 total findings • Code4rena • bin2chen

#29

high

Proposal which started buyout which fails is able to settle migration as if its buyout succeeded.

high

Migration: no check that user-supplied `proposalId` and `vault` match