Security Researcher
High
Total
Medium
Total Earnings
#675 All Time
Payouts
2nd Places
Top 10
Top 25
All
Sherlock
Mar '23
310.09 USDC • 1 total finding • Sherlock • carrot
#4
high
Withdrawals can be halted for all users with external staking
343.69 USDC • 3 total findings • Sherlock • carrot
#37
Users lose premium gained when enrolled to `mintRollovers`
medium
Emissions sent to empty vault is forever locked
Freshness of pricefeed not checked properly
Feb '23
3.65 USDC • 1 total finding • Sherlock • carrot
#22
Initial user can skew vault ratios to steal funds from later users
407.12 USDC • 3 total findings • Sherlock • carrot
#11
Incorrect threshold update in `reconcileSignerCount`
Hats can be overwritten
Contract breaks if `targetThreshold` is ever reduced
1,564.56 USDC • Sherlock • carrot
#5
Findings not publicly available for private contests.
276.69 USDC • 2 total findings • Sherlock • carrot
Decimal error in reward debt handling
Incorrect caching of rewards by the `withdraw` function
940.93 USDC • Sherlock • carrot
34.48 USDC • 1 total finding • Sherlock • carrot
#8
Starting timestamp can be bypassed by calling `settle`
18.81 USDC • 1 total finding • Sherlock • carrot
#34
Users can skip withdrawal timelocks by spamming requestWithdrawal every cycle
1,304.75 USDC • 4 total findings • Sherlock • carrot
#10
IchiLP token pricing mechanism vulnerable to price manipulation
Interest earned through lending is forever locked in bank contract
Miscalculation of farmed ICHI rewards
`reducePosition` in IchiVaultSpell checks max LTV against stale debt values
66.95 USDC • 3 total findings • Sherlock • carrot
#36
Bounties can be broken by funding them with malicious ERC20 tokens
Refunds can be bricked by triggering OOG (out of gas) in DepositManager
Issuer can be frontrun with spam tokens to brick bounties
Jan '23
40.93 USDC • 1 total finding • Sherlock • carrot
#27
Approval in PerpDeposit.sol can be exploited to cause loss of funds
Nov '22
746.62 USDC • 4 total findings • Sherlock • carrot
Orders can be matched multiple time costing multiple premiums
Re-entrancy in certain functions
Missing order validation in reclaimContract function
Allow changing of recipient for withdrawToken
Aug '22
70.70 USDC • 1 total finding • Sherlock • carrot
#25
Non Liquidatable Accounts