https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/aa137706-8ff2-479d-9cff-31af0b0cad57.jpg

chaduke

Security Researcher

Contact Me

High

1

Solo

55

Total

Medium

7

Solo

91

Total

$95.05K

Total Earnings

#90 All Time

78x

Payouts

silver

1x

2nd Places

bronze

4x

3rd Places

regular

21x

Top 10

All

Sherlock

Code4rena

Cantina

Dec '24

SecondSwap

SecondSwap

0 USDC • 1 total finding • Code4rena • chaduke

#67

high

Users can claim more that their actual allotment

Lambo.win

Lambo.win

0 USDC • 1 total finding • Code4rena • chaduke

#36

high

Minting zero tokens when underlyingToken is not Ether in cashIn()

Oct '24

LoopFi

LoopFi

2,538.37 USDC • 6 total findings • Code4rena • chaduke

bronze

high

Rewards might be lost due to the error that _updateRewardIndex() might advance lastBalance without advancing index for a token.

medium

PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.

medium

Incorrect calculation of `newCumulativeIndex` in function `calcDecrease`

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

medium

DOS attack to SwapAction.transferAndSwap() when using an ERC20 permit transferFrom.

medium

CDPVault.liquidatePosition() does not scale ```takeCollateral``` with ```tokenScale``, therefore, it might send the wrong amount of collateral to the liquidator when tokenScale ! = 1 ether.

Aug '24

Winnables Raffles

Winnables Raffles

0.76 USDC • 1 total finding • Sherlock • chaduke

#38

medium

Roles._setRole() cannot delete a role from a user.

Jul '24

LoopFi

LoopFi

233.21 USDC • 6 total findings • Code4rena • chaduke

#30

high

Rewards might be lost due to the error that _updateRewardIndex() might advance lastBalance without advancing index for a token.

medium

PositionAction.decreaseLever() fails to consider the loan fee in Flashlender when calculating loanAmount, as a result, the functionanlity will not work when protocolFee != 0.

medium

Incorrect calculation of `newCumulativeIndex` in function `calcDecrease`

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

medium

DOS attack to SwapAction.transferAndSwap() when using an ERC20 permit transferFrom.

medium

CDPVault.liquidatePosition() does not scale ```takeCollateral``` with ```tokenScale``, therefore, it might send the wrong amount of collateral to the liquidator when tokenScale ! = 1 ether.

MakerDAO Endgame

MakerDAO Endgame

154.21 USDC • Sherlock • chaduke

#94

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

131.79 USDC • 1 total finding • Sherlock • chaduke

#25

medium

During emergency unlock, a call to addToPosition will reduce position.amountWithMultiplier , then the user might loss a lot of reward tokens in the future.

Jun '24

Notional Leveraged Vaults: Pendle PT and Vault Incentives

Notional Leveraged Vaults: Pendle PT and Vault Incentives

607.41 USDC • 2 total findings • Sherlock • chaduke

#12

high

EthenaLib#_sellStakedUSDe() fails to enforce the slippage control using ```minPurchaseAmount``` when borrowToken is DAI. A user might receive less borrowToken than expected.

medium

_claimRewardToken() will update accountRewardDebt even when there is a failure during reward claiming, as a result, a user might lose rewards.

eBTC Zap Router

eBTC Zap Router

1,912.82 USDC • 1 total finding • Code4rena • chaduke

#5

medium

Incorrect Comparison Logic in Post-Operation Checks

May '24

Elfi

Elfi

1,310.17 USDC • 3 total findings • Sherlock • chaduke

#22

high

PositionMarginProcess.updatePositionFromBalanceMargin() returns the wrong ``changeAmount`` value for the case ``position.initialInUsdFromBalance <= addBorrowInUsd``.

medium

GasProcess.processExecutionFee() calculates ``lossFee`` wrongly (always zero), and keepers might oss some portion of execution fee.

medium

AssetsProcess.deposit() fails to check that the token balance of a user cannot exceed collateralUserCap.

Mar '24

WOOFi Swap

WOOFi Swap

1,000 USDC • Sherlock • chaduke

#10

Jan '24

Flat Money

Flat Money

80.91 USDC • 1 total finding • Sherlock • chaduke

#17

high

settleFundingFees() might underflow and lead to incorrect huge value for marginDepositedTotal.

Salty.IO

Salty.IO

28.01 USDC • 1 total finding • Code4rena • chaduke

#103

high

When borrowers repay USDS, it is sent to the wrong address, allowing anyone to burn Protocol Owned Liquidity and build bad debt for USDS

Nov '23

core-and-erc1155a

core-and-erc1155a

7,012.6 USDC • 1 total finding • Cantina • chaduke

#5

high

Finding not yet public.

Nouns Builder

Nouns Builder

21.94 USDC • 1 total finding • Sherlock • chaduke

#9

high

Token.updateFounders() might clear the wrong tokenRecipient[baseTokenId], as a result, not all old founders might be deleted.

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

71.8 USDC • 1 total finding • Code4rena • chaduke

#21

medium

No slippage protection for Market functions

Kelp DAO | rsETH

Kelp DAO | rsETH

83.44 USDC • 2 total findings • Code4rena • chaduke

#40

high

The price of rsEHT could be manipulated by the first staker

medium

Update in strategy will cause wrong issuance of shares

Oct '23

zkSync Era

zkSync Era

948.44 USDC • Code4rena • chaduke

#28

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

163.01 USDC • 1 total finding • Code4rena • chaduke

#34

medium

Incorrect flag results to _hasFallbackToggled always set to false on createMultipleSettlement.

Allo V2

Allo V2

1.30 USDC • 2 total findings • Sherlock • chaduke

#69

high

An allocator might allocate ``voiceCredits`` without any limit, exceeding ``maxVoiceCreditsPerAllocator`` due to forgetting to increase allocator.voiceCredits.

medium

QVBaseStrategy._qv_allocate() does not calculate _allocator.voiceCreditsCastToRecipient[_recipientId] correctly, as a result, the votes for each recipient and thus payout for each recipient will not be calculated correctly.

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

1,421.63 USDC • Code4rena • chaduke

#30

Dopex

Dopex

233.83 USDC • 5 total findings • Code4rena • chaduke

#53

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

high

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

high

`UniV3LiquidityAMO::recoverERC721` will cause `ERC721` tokens to be permanently locked in `rdpxV2Core`

medium

Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`

Jul '23

Tokemak

Tokemak

392.21 USDC • 3 total findings • Sherlock • chaduke

#34

high

LMPVaultRouterBase.mint() will double charge a user when the user sends asset tokens using eth (msg.value > 0), and then a stealer can steal the extra payment.

high

AbstractRewarder.queueNewRewards() will transfer ``(newRewards + queuedRewards)`` instead of ``newRewards`` reward tokens, as a result, the extra ``queuedRewards`` tokens will not be accounted and lost to the contract forever.

medium

AbstractRewarder.notifyRewardAmount() does not calculate the leftover reward correctly when totalSupply() == 0 .

Tapioca DAO

Tapioca DAO

1,952.43 USDC • 7 total findings • Code4rena • chaduke

#29

high

Collateral can be locked in BigBang contract when `debtStartPoint` is nonzero

high

A user with a TapiocaOFT allowance >0 could steal all the underlying ERC20 tokens of the owner

high

twTAP.claimAndSendRewards() will claim the wrong amount for each reward token due to the use of wrong index.

high

[HB02] `BalancerStrategy.sol`: `_withdraw` withdraws insufficient tokens

medium

`extractTAP()` function can allow minting an infinite amount in one week, leading to a DoS attack in `emitForWeek()`

medium

averageMagnitude in TapiocaOptionBroker is updated wrongly

medium

Potential loss of value in YieldBox's `depositETHAsset()`

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

626.98 USDC • 3 total findings • Code4rena • chaduke

#39

medium

RestakeToken function is not permissionless

medium

Lack of slippage protection can lead to significant loss of user funds

medium

updatePeriod() less mint HERMES

Apr '23

GMX Update

GMX Update

28,912.77 USDC • 3 total findings • Sherlock • chaduke

silver

high

MarketUtils.getPoolValueInfo() does not use !maximize when evaluating impactPoolUsd, leading to wrong logic of maximizing or minimizing the pool value.

medium

MarketUtils.getFundingAmountPerSizeDelta() has a rounding logical error.

medium

PositionUtils.validatePosition() uses ``isIncrease`` instead of ``false`` when calling isPositionLiquidatable(), making it not work properly for the case of ``isIncrease = true``.

ENS Contest

ENS Contest

3,622.13 USDC • 3 total findings • Code4rena • chaduke

#5

medium

Unintentionally register a non-relevant DSN name owner

medium

Incorrect implementation of RecordParser.readKeyValue()

medium

HexUtils.hexStringToBytes32() and HexUtils.hexToAddress() may return incorrect results

Teller

Teller

737.49 USDC • 5 total findings • Sherlock • chaduke

#13

high

setCollateralEscrowBeacon() has no access control, so anybody can change ``collateralEscrowBeacon``.

high

DOS attack to deployAndDeposit()

high

A malicous user can manipulate the amount of collateral for a borrower.

medium

There is a race condition between updateCommitment() and acceptCommitment().

medium

withdraw() has no access control, so a malicous user can use it to front-run repayLoanFull(), repay(), and liquidateLoanFull().

Caviar Private Pools

Caviar Private Pools

590.01 USDC • 5 total findings • Code4rena • chaduke

#14

high

PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution

medium

Transaction revert if the baseToken does not support 0 value transfer when charging changeFee

medium

Loss of funds for traders due to accounting error in royalty calculations

medium

`changeFeeQuote` will fail for low decimal ERC20 tokens

medium

EthRouter can't perform multiple changes

Rubicon v2

Rubicon v2

0.15 USDC • 1 total finding • Code4rena • chaduke

#125

high

Reward accounting is incorrect in BathBuddy contract

Mar '23

Notional V3

Notional V3

4,232.96 USDC • 3 total findings • Sherlock • chaduke

#5

high

_redeemMoneyMarketIfRequired() will always overwithdraw from money market tokens, leading to losing some opportunities to earn from the money markets (losing of funds).

medium

convertFromStorage() fails to use rounding-up when converting a negative storedCashBalance into signedPrimeSupplyValue.

medium

AccountAction#withdraw() might fail when one of the other money markets (Compound, Aave, or Euler) fails temporarily.

Asymmetry contest

Asymmetry contest

41.6 USDC • 1 total finding • Code4rena • chaduke

#84

medium

Residual ETH unreachable and unuitilized in SafEth.sol

Olympus Update

Olympus Update

212.68 USDC • 1 total finding • Sherlock • chaduke

#5

medium

Wrong check condition for setLimit() because it fails to recognize the real effective ohm minting limit is ohmLimit + circulatingOhmBurned!

Kairos Loan

Kairos Loan

488.65 USDC • 1 total finding • Sherlock • chaduke

#7

medium

The useLoan() function (Dutch auction) will fail for some tokens when the price of the NFT becomes zero.

Canto Identity Subprotocols contest

Canto Identity Subprotocols contest

177.24 USDC • Code4rena • chaduke

#17

Polynomial Protocol contest

Polynomial Protocol contest

664.22 USDC • Code4rena • chaduke

#15

Neo Tokyo contest

Neo Tokyo contest

29.67 USDC • Code4rena • chaduke

#21

Taurus

Taurus

30.89 USDC • 1 total finding • Sherlock • chaduke

#12

medium

_decreaseCurrentMinted() does not revise currentMinted() correctly, as a result, a wrong mint limit might be enforced on a vault.

Feb '23

Surge

Surge

1,203.80 USDC • 2 total findings • Sherlock • chaduke

bronze

high

First depositor attack: first (early depositors) can steal funds from later depositors.

medium

A liquidator can gain not only collateral, but also can reduce his own debt!

Hats

Hats

48.84 USDC • 1 total finding • Sherlock • chaduke

#20

medium

DOS attack to getHatLevel()

Derby

Derby

569.67 USDC • 3 total findings • Sherlock • chaduke

#13

high

``pullFunds()`` might give the wrong account for ``savedTotalUnderlying``.

medium

MainVault.deposit() fails to enforce the deposit maxium for white-listed depositors in training

medium

Nobody can deposit when getVaultBalance() < reservedFunds

OlympusDAO

OlympusDAO

276.69 USDC • 2 total findings • Sherlock • chaduke

#22

high

Users might claim more rewards than they deserve, leading loss of rewards to later claimers

high

Decimal issue with `` userRewardDebts`` might lead to over-claim/under-claim of rewards

Ethos Reserve contest

Ethos Reserve contest

3,838.19 USDC • 2 total findings • Code4rena • chaduke

#9

high

User can lose up to whole stake on vault withdrawal when there are funds locked in the strategy

medium

``lastFeeOperationTime`` is not modified correctly in function ``_updateLastFeeOpTime()``, resuling a much slower decay model for borrowing base rate

GMX

GMX

1,328.21 USDC • 2 total findings • Sherlock • chaduke

#17

medium

boundedSub() might fail to return the result that is bounded to prevent overflows

medium

getNextFundingAmountPerSize() has a divide-before-multiply precision loss problem.

Carapace

Carapace

1,981.72 USDC • 6 total findings • Sherlock • chaduke

#11

high

DOS attack to function ``_accruePremiumAndExpireProtections()`` due to iteration through all active protections.

high

A lender can bypass the protection amount limit check by buying more protections.

high

Front-running attack to lockCapital()

high

Sandwich attack to accruePremiumAndExpireProtections()

medium

Nobody can deposit anymore after ``_underlyingAmount`` becomes ZERO.

medium

Some protection buyers might not be able to renew their protections due to delayed expiration processing.

Union Finance Update

Union Finance Update

487.80 USDC • 1 total finding • Sherlock • chaduke

bronze

medium

Attackers can call UToken.redeem() and drain the funds in assetManager

Blueberry

Blueberry

1,428.04 USDC • 4 total findings • Sherlock • chaduke

#9

high

Some funds might be stuck in the bank contract forever, and nobody can withdraw them

high

A user who calls IchiVaultSpell.closePosition() might leave some ICHI vault LP tokens in the IchiVaultSpell for other users to steal (lose funds)

medium

A borrower might drain the vault by calling borrow() repeatedly with small borrow amount each time.

medium

IchiVaultSpell.openPosition() will always revert if ICHI Vault Lp Tokens are fees-on-transfer ERC20 tokens.

OpenQ

OpenQ

59.81 USDC • 1 total finding • Sherlock • chaduke

#38

medium

A partial refund using ``BountyCore.refundDeposit()`` will block ALL future partial/full refunds.

Jan '23

Popcorn contest

Popcorn contest

1,511.68 USDC • 9 total findings • Code4rena • chaduke

#14

high

First vault depositor can steal other's assets

medium

Users lose their entire investment when making a deposit and resulting shares are zero

medium

DOS any Staking contract with Arithmetic Overflow

medium

`MultiRewardStaking.changeRewardSpeed()` breaks the distribution

medium

syncFeeCheckpoint() does not modify the highWaterMark correctly, sometimes it might even decrease its value, resulting charging more performance fees than it should

medium

Owner can collect management fees with a new increased fee for previous time period.

medium

`Vault.redeem` function does not use `syncFeeCheckpoint` modifier

medium

VaultController() Missing call DeploymentController.nominateNewDependencyOwner()

medium

`quitPeriod` is effectively always just `1 day`

Canto Identity Protocol contest

Canto Identity Protocol contest

153.57 CANTO • 1 total finding • Code4rena • chaduke

#9

medium

Multiple accounts can have the same identity

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

138.73 USDC • 2 total findings • Code4rena • chaduke

#32

high

Protocol fees can be withdrawn multiple times in `Erc20Quest`

medium

Users may not claim Erc1155 rewards when the Quest has ended

Drips Protocol contest

Drips Protocol contest

254.8 USDC • Code4rena • chaduke

#10

Timeswap contest

Timeswap contest

7,423.7 USDC • 3 total findings • Code4rena • chaduke

bronze

high

The collect() function will always TRANSFER ZERO fees, losing _feesPositions without receiving fees!

medium

_ownedTokensIndex is SHARED by different owners, as a result, _removeTokenFromAllTokensEnumeration might remove the wrong tokenId.

medium

Burning a `ERC1155Enumerable` token doesn't remove it from the enumeration

OpenSea Seaport 1.2 contest

OpenSea Seaport 1.2 contest

140.67 USDC • Code4rena • chaduke

#9

Ondo Finance contest

Ondo Finance contest

2,658.24 USDC • 1 total finding • Code4rena • chaduke

#6

medium

setPendingRedemptionBalance() may cause the user's cash token to be lost

Reserve contest

Reserve contest

1,994.7 USDC • 1 total finding • Code4rena • chaduke

#15

medium

Should Accrue Before Change, Loss of Rewards in case of change of settings

Astaria contest

Astaria contest

1,432.33 USDC • 5 total findings • Code4rena • chaduke

#14

high

When Public Vault A buys out Public Vault B's lien tokens, it does not increase Public Vault A's liensOpenForEpoch, which would result in the lien tokens not being repaid

high

Buying out corrupts the slope of a vault, reducing rewards of LPs

high

Deadlock in valuts with underlying token with less then 18 decimals

medium

Users are unable to mint shares from a public vault using `AstariaRouter` contract when share price is bigger than one

medium

_buyoutLien() does not properly validate the liquidationInitialAsk

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

227.03 USDC • 2 total findings • Code4rena • chaduke

#35

high

Attacker can gain control of counterfactual wallet

high

Destruction of the `SmartAccount` implementation

Dec '22

GoGoPool contest

GoGoPool contest

2,391.75 USDC • 4 total findings • Code4rena • chaduke

#6

high

Hijacking of node operators minipool causes loss of staked funds

high

AVAX Assigned High Water is updated incorrectly

medium

Inflation rate can be reduce by half at most if it get called every 1.99 interval.

medium

Coding logic of the contract upgrading renders upgrading contracts impractical

Forgeries contest

Forgeries contest

25.95 USDC • Code4rena • chaduke

#23

Caviar contest

Caviar contest

70.22 USDC • 3 total findings • Code4rena • chaduke

#36

high

Liquidity providers may lose funds when adding liquidity

high

First depositor can break minting of shares

medium

Rounding error in buyQuote might result in free tokens

Tigris Trade contest

Tigris Trade contest

638.12 USDC • 4 total findings • Code4rena • chaduke

#22

medium

Bypass the delay security check to win risk free funds

medium

`_handleOpenFees` returns an incorrect value for `_feePaid`. This directly impacts margin calculations

medium

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

medium

`_handleDeposit` and `_handleWithdraw` do not account for tokens with decimals higher than 18

prePO contest

prePO contest

454.91 USDC • 2 total findings • Code4rena • chaduke

#16

high

A whale user is able to cause freeze of funds of other users by bypassing withdraw limit

medium

Users do not receive owed tokens if `TokenSender` contract cannot cover their owed amount.

Escher contest

Escher contest

1.45 USDC • 2 total findings • Code4rena • chaduke

#68

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

medium

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

Nov '22

ParaSpace contest

ParaSpace contest

44.93 USDC • 1 total finding • Code4rena • chaduke

#55

high

Anyone can prevent themselves from being liquidated as long as they hold one of the supported NFTs

Canto contest

Canto contest

13.69 CANTO • Code4rena • chaduke

#12

Redacted Cartel contest

Redacted Cartel contest

771.68 USDC • Code4rena • chaduke

#18

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

189.5 USDC • 2 total findings • Code4rena • chaduke

#37

medium

Dao admin in LiquidStakingManager.sol can rug the registered node operator by stealing their fund in the smart wallet via arbitrary execution.

medium

Compromised or malicious DAO can restrict actions of node runners who are not malicious

Blur Exchange contest

Blur Exchange contest

66.81 USDC • 1 total finding • Code4rena • chaduke

#26

medium

Yul `call` return value not checked

LooksRare Aggregator contest

LooksRare Aggregator contest

264.89 USDC • 2 total findings • Code4rena • chaduke

#14

medium

call opcode's return value not checked.

medium

Public to all funds escape

SIZE contest

SIZE contest

26.73 USDC • 1 total finding • Code4rena • chaduke

#38

medium

Attacker may DOS auctions using invalid bid parameters

Debt DAO contest

Debt DAO contest

61.35 USDC • Code4rena • chaduke

#51

Oct '22

zkSync v2 contest

zkSync v2 contest

2,102.32 USDC • Code4rena • chaduke

#5

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

19.64 USDC • Code4rena • chaduke

#33

Inverse Finance contest

Inverse Finance contest

19.01 USDC • Code4rena • chaduke

#49

Holograph contest

Holograph contest

0.02 USDC • 1 total finding • Code4rena • chaduke

#43

medium

`_payoutToken[s]()` is not compatible with tokens with missing return value

Juicebox contest

Juicebox contest

63.84 USDC • Code4rena • chaduke

#17

Trader Joe v2 contest

Trader Joe v2 contest

0.98 USDC • 1 total finding • Code4rena • chaduke

#27

medium

beforeTokenTransfer called with wrong parameters in LBToken._burn