https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_4.png

ctf_sec

Security Researcher

Contact Me

High

1

Solo

102

Total

Medium

10

Solo

205

Total

$375.84K

Total Earnings

#20 All Time

144x

Payouts

gold

7x

1st Places

silver

9x

2nd Places

bronze

6x

3rd Places

All

Sherlock

Code4rena

Cantina

Immunefi

Jan '25

lifi-contracts

lifi-contracts

2,000 USDC • Cantina • ladboy233

silver

Dec '24

story-protocol

story-protocol

1,810.53 USDC • 1 total finding • Cantina • ladboy233

#43

high

Finding not yet public.

bima-money

bima-money

2,252.68 USDC • 1 total finding • Cantina • ladboy233

#15

medium

Finding not yet public.

Nov '24

Chainlink

Chainlink

63,954.54 USDC • Code4rena • ladboy233

gold

Oct '24

Usual V1

Usual V1

1,000 USDC • Sherlock • ctf_sec

#4

Sep '24

Boost Core Incentive Protocol

Boost Core Incentive Protocol

1,597.81 USDC • 2 total findings • Sherlock • ctf_sec

#15

high

BoostedCore lack functions to invoke incentive#clawback and incentive#drawRaffle function

medium

Both block.prevrandao and block.timestamp are not reliably source of randonness

Flayer

Flayer

1,087.61 USDC • 2 total findings • Sherlock • ctf_sec

#54

high

claimRoyalties in InfernalRiftBelow.sol lack access control

high

User lose fund when vote after the shutdown is canceled

Aug '24

Velar Artha PerpDEX

Velar Artha PerpDEX

1,116.00 USDC • 1 total finding • Sherlock • ctf_sec

#7

medium

Should not use of tx.origin track user address

Jul '24

MakerDAO Endgame

MakerDAO Endgame

5,627.40 USDC • Sherlock • ctf_sec

#23

Jun '24

Mellow Modular LRTs

Mellow Modular LRTs

1,500 USDC • Sherlock • ctf_sec

#6

dHEDGE

dHEDGE

3,615.52 USDC • Sherlock • ctf_sec

#5

Findings not publicly available for private contests.

May '24

Canto

Canto

694.74 USDC • Code4rena • ladboy233

#5

Bitcoin Staking Scripts

Bitcoin Staking Scripts

3,467.7 USDC • 2 total findings • Cantina • ladboy233

#6

medium

Finding not yet public.

medium

Finding not yet public.

Terrace

Terrace

3,324.11 USDC • Sherlock • ctf_sec

#5

Findings not publicly available for private contests.

Euler-v2

Euler-v2

1,827 USDC • Cantina • ladboy233

#26

Arbitrum BoLD

Arbitrum BoLD

10,526.32 USDC • Code4rena • ladboy233

#8

Kwenta x Perennial Integration Update

Kwenta x Perennial Integration Update

809.02 USDC • Sherlock • ctf_sec

silver
safe-extensions

safe-extensions

2,327.15 USDC • 1 total finding • Cantina • ladboy233

#12

medium

Finding not yet public.

Apr '24

Renzo

Renzo

1,979.1 USDC • 4 total findings • Code4rena • ladboy233

#10

medium

Not handling the failure of cross chain messaging

medium

Lack of slippage and deadline during withdraw and deposit

medium

L1::xRenzoBridge and L2::xRenzoBridge uses the block.timestamp as dependency, which can cause issue.

medium

Withdrawals and Claims are meant to be pausable, but it is not possible in practice

NOYA

NOYA

856.49 USDC + NOYA stars • 9 total findings • Code4rena • ladboy233

#19

high

`BalancerConnector::_getPositionTVL` is calculated incorrectly

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

high

It is possible to open insolvent position is Silo connector, due to missing check in borrow function

medium

The `TVLHelper.sol#getTVL` function is DOSed by the `under collateralized connector`, and as a result, many parts of the protocol may be DOS.

medium

In the BalancerConnector, unclaimed rewards are not included in the calculation of the connectors TVL

medium

Balancer flashloan contract can be DOSed completely by sending 1 wei to it

medium

`depositQueue.queue` in `AccountingManager` can be flooded causing a DoS

medium

No function to claim the reward in `PancakeswapConnector`.

medium

`PendlingConnector::depositIntoMarket()` `PendlingConnector::burnLP()` and are missing slippage control parameters.

Mar '24

Optimism Fault Proofs

Optimism Fault Proofs

4,203.02 USDC • 1 total finding • Sherlock • ctf_sec

#6

medium

Mulptile dispute game may leads to race condition and lack of input validation from l2 block number

Smart-contracts

Smart-contracts

759.11 USDC • 4 total findings • Cantina • ladboy233

#17

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Taiko

Taiko

7,017.62 USDC • 5 total findings • Code4rena • ladboy233

#6

high

Taiko L1 - Proposer can maliciously cause loss of funds by forcing someone else to pay prover's fee

high

Signatures can be replayed in `withdraw()` to withdraw more tokens than the user originally intended.

medium

retryMessage unable to handle edge cases.

medium

There is no slippage check for the eth deposits processing in the `LibDepositing.processDeposits`

medium

Malicious caller of `processMessage()` can pocket the fee while forcing `excessivelySafeCall()` to fail

Feb '24

curvance

curvance

2,800.78 USDC • 3 total findings • Cantina • ladboy233

#23

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Tapioca

Tapioca

3,437.32 USDC • 4 total findings • Sherlock • ctf_sec

#9

high

lack of market helper address validation allows theft of fund

high

Fully exercise option to receive fully eligible amount via TOFTOptionsReceiverModule may result in loss of fund

medium

Owner check logical should use && instead of || when rebalancing

medium

Share computing for reward distribution is incorrect

Audit Comp | Puffer Finance

Audit Comp | Puffer Finance

240 USDC • 1 total finding • Immunefi • ladboy233

#31

low

Finding not yet public.

AI Arena

AI Arena

59.56 USDC • 4 total findings • Code4rena • ladboy233

#92

high

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

high

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

medium

Constraints of dailyAllowanceReplenishTime and allowanceRemaining during mint() can be bypassed by using alias accounts & safeTransferFrom()

medium

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Jan '24

Blast

Blast

8,765.91 USDC • 1 total finding • Cantina • ladboy233

#32

high

Finding not yet public.

lockbox-solana

lockbox-solana

400 USDC • Cantina • ladboy233

#10

reNFT

reNFT

1,105.96 USDC • Code4rena • ladboy233

#11

incentive-contracts

incentive-contracts

699.46 USDC • 1 total finding • Cantina • ladboy233

#19

high

Finding not yet public.

Nov '23

core-and-erc1155a

core-and-erc1155a

32,422.09 USDC • 5 total findings • Cantina • ladboy233

gold

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Oct '23

Badger eBTC Audit + Certora Formal Verification Competition

Badger eBTC Audit + Certora Formal Verification Competition

117.51 USDC • Code4rena • ladboy233

#15

Brahma

Brahma

2,326.97 USDC • 1 total finding • Code4rena • ladboy233

silver

medium

SubAccount operator steal funds via the gas refund mechanism.

zkSync Era

zkSync Era

1,813.81 USDC • Code4rena • ladboy233

#22

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

3,912.33 USDC • 2 total findings • Code4rena • ladboy233

#8

high

if the Virtual Account's owner is a Contract Account (multisig wallet), attackers can gain control of the Virtual Accounts by gaining control of the same owner's address in a different chain

high

All tokens can be stolen from `VirtualAccount` due to missing access modifier

Centrifuge

Centrifuge

50.43 USDC • 1 total finding • Code4rena • ladboy233

#31

medium

```trancheTokenAmount``` should be rounded UP when proceeding to a withdrawal or previewing a withdrawal.

Delegate

Delegate

17,158.88 USDC • 1 total finding • Code4rena • ladboy233

gold

medium

CreateOfferer.sol should not enforce the nonce incremented sequentially, otherwise user can DOS the contract by skipping order

Ondo Finance

Ondo Finance

1,340.19 USDC • 1 total finding • Code4rena • ladboy233

#7

medium

All bridged funds will be lost for the users using the account abstraction wallet

Aug '23

Livepeer Onchain Treasury Upgrade

Livepeer Onchain Treasury Upgrade

5,454.09 USDC • 2 total findings • Code4rena • ladboy233

silver

medium

Fully slashed transcoder can vote with 0 weight messing up the voting calculations

medium

The logic in _handleVoteOverride to determine if an account is transcoder is not consistent with the logic in the BondManager.sol

Chainlink Staking v0.2

Chainlink Staking v0.2

41.45 USDC • Code4rena • ladboy233

#57

Dopex

Dopex

893.77 USDC • 5 total findings • Code4rena • ladboy233

#23

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

medium

Missing slippage parameter on Uniswap `addLiquidity()` function

medium

`sync` function in `RdpxV2Core.sol` should be called in multiple scenarios to account for the balance changes that occurs

medium

No slippage protection for bonders

veRWA

veRWA

7,120.54 USDC • 1 total finding • Code4rena • ladboy233

gold

high

lack of access control in LendingLedger.sol#checkpoint_lender and function checkpoint_market

Jul '23

Tokemak

Tokemak

7,242.92 USDC • 6 total findings • Sherlock • ctf_sec

#4

high

Mav oracle LP price can be manipulated

high

Malicious user can claim the reward for contract to make the user lose convex reward

medium

Balancer reentrancy check waste too much gas and can revert transaction in out of gas error

medium

Malicious / delayed tellor price feed data can be consumed before it get disputed and removed

medium

Swell eth oracle can be maipulated by third party easily

medium

curve admin can drain pool via reentrancy (equal to execute emergency withdraw and rug tokenmak fund by third party)

Tapioca DAO

Tapioca DAO

3,606.64 USDC • 14 total findings • Code4rena • ladboy233

#19

high

TOFT and USDO Modules Can Be Selfdestructed

high

`LidoEthStrategy._currentBalance` is subject to price manipulation, allows overborrowing and liquidations

high

Ability to steal user funds and increase collateral share infinitely in BigBang and Singularity

high

[HB10] `AaveStrategy.sol`: Changing swapper breaks the contract

medium

BigBang and Singularity should not pause repay() and liquidate()

medium

In case of Loss to the Yearn Vault, the Contract will stop working until the loss is repaid

medium

Oracle is susceptible to manipulation if deployed on Optimism

medium

all deposit and withdraw function in Convex and Curve nativeLP Strategy, apply slippage on internal pricing; which call real-time on chain price from Curve directly and subject to MEV

medium

BigBang/Singularity::sellCollateral - Surplus of collateral with regards to repay amount is never returned to user

medium

AaveStragety#withdraw and emergecyWithdraw can revert if the supply cap is reached or isFrozen flag is on when compounding

medium

Loss of COMP reward in CompoundStragety.sol

medium

Compounding mechanism is broken/flawed in ConvexTricryptoStrategy

medium

mTapiocaOFT can't be rebalanced because the Balancer in tapiocaz-audit calls swapETH() or swap() of the RouterETH but does not forward ether for the message fee

medium

`_getDiscountedPaymentAmount` doesn't work for tokens with more than 18 decimals

Bond Options

Bond Options

10,198.66 USDC • 9 total findings • Sherlock • ctf_sec

gold

high

All fund from Teller contract can be drained because a malicious receiver can call reclaim repeatedly

high

All funds can be stolen from FixedStrikeOptionTeller using a token with malicious decimals

medium

Blocklisted address can be used to lock the option token minter's fund

medium

Loss of option token from Teller and reward from OTLM if L2 sequencer goes down

medium

Use A's staked token balance can be used to mint option token as reward for User B if the payout token equals to the stake token

medium

IERC20(token).approve revert if the underlying ERC20 token approve does not return boolean

medium

Division before multiplication result in loss of token reward if the reward update time elapse is small

medium

FixedStrikeOptionTeller: create can be invoked when block.timestamp == expiry but exercise reverts

medium

OTLM: Stakers unable to claim their rewards

Dinari

Dinari

6,034.10 USDC • 3 total findings • Sherlock • ctf_sec

silver

high

Bypass the blacklist restriction because the blacklist check is not done when minting or burning

medium

Escrow record not cleared on cancellation and order fill

medium

Cancellation refunds should return tokens to order creator, not recipient

Jun '23

Unitas Protocol

Unitas Protocol

179.06 USDC • 2 total findings • Sherlock • ctf_sec

#14

medium

No slippage protection and deadline check when swapping

medium

Does not validate price freshness when using the oracle price, allowing stale oracle price to be used

May '23

BASE

BASE

8,029.15 USDC • Code4rena • ladboy233

silver
USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

25.55 USDC • 6 total findings • Sherlock • ctf_sec

#58

high

Wrong oracle address used for WBTC oracle

high

No slippage control when swapping asset

high

Lack of access for mintRebalancer and burnRebalancer in USSD

high

Poor validation of the price allows negative price or zero price to be used

medium

No redeem function implemented

medium

Poor validation of the chainlink oracle timestamp and round id

Ajna Protocol

Ajna Protocol

269.24 USDC • 2 total findings • Code4rena • ladboy233

#32

high

Claiming accumulated rewards while the contract is underfunded can lead to a loss of rewards

medium

Calculating new rewards is susceptible to precision loss due to division before multiplication

Footium

Footium

194.80 USDC • 4 total findings • Sherlock • ctf_sec

#18

high

FootiumEscrow token approval still stays even when Club NFT is sold / transferred

medium

Does not handle the ERC20 transfer and approve return value

medium

Certain ERC20 token does not return bool from approve and transfer and transaction revert

medium

SafeMint in FootiumClub.sol is not EIP 721 complaint

Apr '23

Blueberry Update

Blueberry Update

399.20 USDC • 3 total findings • Sherlock • ctf_sec

#8

high

Missing slippage control in CurveSpell swap

high

Deadline check is not effective, allowing outdated slippage and allow pending transaction to be unexpected executed

medium

Missing checks for whether Arbitrum Sequencer is active

JOJO Exchange

JOJO Exchange

506.60 USDC • 2 total findings • Sherlock • ctf_sec

#22

high

Complete loss of fund when using DepositStableCoinToDealer.sol

medium

Subaccount does not handle ETH well

Splits

Splits

589.10 USDC • 1 total finding • Sherlock • ctf_sec

silver

medium

The cost of the price manipulation is low for newly created pool with different fee setting

Teller

Teller

121.21 USDC • 5 total findings • Sherlock • ctf_sec

#36

high

User can use malicious token / asset to block withdraw by calling CollateralManager.sol#commitCollateral

high

Borrower can change term after the lender accept bids to rug the lender

medium

Lack of access in CollateralManager.sol#withdraw function

medium

Lack of support for fee-on-transfer

medium

Protocol owner can charge high protocol fee with no upper limit

Frankencoin

Frankencoin

116.84 USDC • 3 total findings • Code4rena • ladboy233

#42

medium

Can't pause or remove a minter

medium

need alternative ways for fund transfer in `end()` to prevent DoS

medium

function `restructureCapTable()` in Equity.sol not functioning as expected

Caviar Private Pools

Caviar Private Pools

1,235.91 USDC • 6 total findings • Code4rena • ladboy233

#8

high

PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution

medium

Pool tokens can be stolen via `PrivatePool.flashLoan` function from previous owner

medium

The `royaltyRecipient` could not be prepare to receive ether, making the `sell` to fail

medium

Transaction revert if the baseToken does not support 0 value transfer when charging changeFee

medium

`Factory.create`: Predictability of pool address creates multiple issues.

medium

EthRouter can't perform multiple changes

Rubicon v2

Rubicon v2

690.7 USDC • 6 total findings • Code4rena • ladboy233

#19

high

Some positions will get liquidated immediately

high

DOS of market operations with malicious offers

high

RubiconMarket checks slippage incorrectly

high

An attacker can steal all tokens of users that use `FeeWrapper`

medium

Use of `block.number` leads to incorrect interest calculations

medium

Incorrect calculations can occur when calling `Position._marketBuy` and `Position._marketSell` functions that do not include maker fee in `_fee`

Mar '23

Asymmetry contest

Asymmetry contest

194.69 USDC • 5 total findings • Code4rena • ladboy233

#35

medium

Division before multiplication truncate minOut and incurs heavy precision loss and result in insufficient slippage protection

medium

No slippage protection on `stake()` in SafEth.sol

medium

DoS due to external call failure

medium

Missing derivative limit and deposit availability checks will revert the whole `stake()` function

medium

Lack of deadline for uniswap AMM

Feb '23

Surge

Surge

186.65 USDC • 3 total findings • Sherlock • ctf_sec

#9

high

A malicious early user/attacker can manipulate the Token's pricePerShare to take an unfair share of future users' deposits

high

Improper token scaling when handling the low precision ERC20 token

medium

Invalid finding Please disard: Smart contract should not accrue fee shares when the feeRecipient address is address(0)

Carapace

Carapace

196.85 USDC • 4 total findings • Sherlock • ctf_sec

#24

high

Seller can withdrawal in any cycle and can withdraw any amount with the help of flashloan after two cycles passes

high

Buyer can transfer the Goinfinch Pool Position NFT multiple times to different address to buy the premium protection multiple times, result in double counting of the protection amount

high

Unbounded loop can consume all gas and revert transaction in multiple places.

medium

Front-runnable state update for lending pool

Blueberry

Blueberry

498.98 USDC • 2 total findings • Sherlock • ctf_sec

#22

high

IchiLpOracle is vulnerable to manipulation

medium

Lack of slippage control and deadline check when depositing into / withdraw from the IChiVaultSpell and IChiFarm integration

OpenQ

OpenQ

2,845.70 USDC • 7 total findings • Sherlock • ctf_sec

#5

high

Refund NFT via DepositManager failed to clean up the nftDeposits array, result in failure when claiming the reward from ClaimManager.sol

high

User can fund the bounty contract with malicious ERC20 token or NFT token to block developer’s claim at very low cost

high

Developer cannot claim the bounty if the token revert in 0 amount transfer after the user get the bounty refund after funding the bounty contract

high

User should not be able to get the refund before the developer claim the bounty and after the bounty is closed

high

User can fund ERC721 as ERC20 to block developer’s bounty withdraw from Bounty contract

high

Unbounded gas consumption When calling BountyCore#getLockedFunds

medium

A user can maliciously take the advantage of the refundDeposit to claim refund for other user

Jan '23

Popcorn contest

Popcorn contest

398.57 USDC • 5 total findings • Code4rena • ladboy233

#40

medium

Malicious Users Can Drain The Assets Of Vault. (Due to not being ERC4626 Complaint)

medium

vault.changeAdapter can be misused to drain fees

medium

cool down time period is not properly respected for the `harvest` method

medium

VaultController() Missing call DeploymentController.nominateNewDependencyOwner()

medium

Users can fail to withdraw deposited assets from a vault that uses `YearnAdapter` contract as its adapter because `maxLoss` input for calling corresponding Yearn vault's `withdraw` function cannot be specified

Numoen contest

Numoen contest

2,378.09 USDC • 1 total finding • Code4rena • ladboy233

bronze

medium

Division before multiplication incurs unnecessary precision loss

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

476.4 USDC • 4 total findings • Code4rena • ladboy233

#12

high

Protocol fees can be withdrawn multiple times in `Erc20Quest`

medium

Possible scenario for Signature Replay Attack

medium

Buyer on secondary NFT market can lose fund if they buy a NFT that is already used to claim the reward

medium

DOS risk if enough tokens are minted in Quest.claim can lead, at least, to transaction fee lost

Drips Protocol contest

Drips Protocol contest

893.97 USDC • 1 total finding • Code4rena • ladboy233

#9

medium

`unauthorize()` can be front-run so that the malicious authorized user would get their authority back

Optimism

Optimism

22,521.43 USDC • 1 total finding • Sherlock • ladboy233

#8

high

Gas left check estimation is not accurate

Ajna

Ajna

6,412.06 USDC • 4 total findings • Sherlock • ctf_sec

#5

high

The deposit / withdraw / trade transaction lack of expiration timestamp check and slippage control

medium

Flashloan caller can double paying the flashloaned amount

medium

CryptoKitty and CryptoFighter NFT can be paused, which block borrowing / repaying / liquidating action in the ERC721Pool when borrowers still forced to pay the compounding interest

medium

User's staking reward can be lost in RewardsManager.sol

Reserve contest

Reserve contest

121.59 USDC • Code4rena • ladboy233

#26

Astaria contest

Astaria contest

3,266.31 USDC • 10 total findings • Code4rena • ladboy233

#8

high

Strategist can fail to withdraw asset token from a private vault

high

Improper validations in Clearinghouse. possible to lock collateral NFT in contract.

medium

Adversary can game the liquidation flow by transfering a dust amount of the payment token to ClearingHouse contract to settle the auction if no one buy the auctioned NFT

medium

Lack of support for ERC20 token that is not 18 decimals

medium

CollateralToken should allow to execute token owner's action to approved addresses

medium

Liquidator reward is not taken into account when calculating potential debt

medium

Lack of support for fee-on-transfer token

medium

Certain function can be blocked if the ERC20 token revert in 0 amount transfer after PublicVault#transferWithdrawReserve is called

medium

A user can use the same proof for a commitment more than 1 time

medium

LienToken._payment function increases users debt

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

577.51 USDC • 3 total findings • Code4rena • ladboy233

#22

high

`FeeRefund.tokenGasPriceFactor` is not included in signed transaction data allowing the submitter to steal funds

high

Arbitrary transactions possible due to insufficient signature validation

high

Attacker can gain control of counterfactual wallet

UXD Protocol

UXD Protocol

2,713.67 USDC • 4 total findings • Sherlock • ctf_sec

bronze

high

Rage trade depository redeem can revert in senior vault beforeWithdraw hook when the utilization rate is high

high

15 seconds is too short for TWAP price query when calculating the PNL

high

Lack of input validation when rebalancing occurs, which leads to loss of fund in Perp protocol depository

medium

Vulnerable Openzepplin version is used, which affects GovernorVotesQuorumFraction used in the Governance contract

Dec '22

Papr contest

Papr contest

417.12 USDC • 1 total finding • Code4rena • ladboy233

#17

medium

Disabled NFT collateral should not be used to mint debt

GoGoPool contest

GoGoPool contest

4,197.78 USDC • 7 total findings • Code4rena • ladboy233

bronze

high

MinipoolManager: node operator can avoid being slashed

high

Inflation of ggAVAX share price by first depositor

high

Hijacking of node operators minipool causes loss of staked funds

medium

Inaccurate estimation of validation rewards from function ExpectedRewardAVA in MiniPoolManager.sol

medium

Division by zero error can block RewardsPool#startRewardCycle if all multisig wallet are disabled.

medium

Rialto may not be able to cancel minipools created by contracts that cannot receive AVAX

medium

Bypass `whenNotPaused` modifier

Forgeries contest

Forgeries contest

19.22 USDC • 1 total finding • Code4rena • ladboy233

#25

high

Admin does not have to wait to call `lastResortTimelockOwnerClaimNFT()`

Caviar contest

Caviar contest

589.16 USDC • 3 total findings • Code4rena • ladboy233

#16

high

First depositor can break minting of shares

medium

Price will not always be 18 decimals, as expected and outlined in the comments

medium

Pair price may be manipulated by direct transfers

Tigris Trade contest

Tigris Trade contest

12.84 USDC • 2 total findings • Code4rena • ladboy233

#62

medium

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

medium

Chainlink price feed is not sufficiently validated and can return stale price

Escher contest

Escher contest

108.87 USDC • 4 total findings • Code4rena • ladboy233

#31

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

medium

ETH will get stuck if all NFTs do not get sold.

medium

Unsafe downcasting operation truncate user's input

medium

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

Lyra

Lyra

11,266.25 USDC • Sherlock • ctf_sec

#4

Findings not publicly available for private contests.

PoolTogether contest

PoolTogether contest

1,921.21 USDC • 1 total finding • Code4rena • ladboy233

bronze

medium

`CrossChainExecutor` contracts do not update the necessary states for failing transactions.

Maverick contest

Maverick contest

59.84 USDC • Code4rena • ladboy233

#13

NounsDAO

NounsDAO

114.65 USDC • 1 total finding • Sherlock • ctf_sec

#6

medium

The caller can set start and stop timestamp far away from the current timestamp to let recipient never receive the token or set start and stop timestamp to past timestamp to game the recipient

Nov '22

ParaSpace contest

ParaSpace contest

1,189.8 USDC • 3 total findings • Code4rena • ladboy233

#21

medium

Fallback oracle is using spot price in Uniswap liquidity pool, which is very vulnerable to flashloan price manipulation

medium

Centralization risk: admin can with rug the project by removing asset and price manipulation on oracle.

medium

Rewards are not accounted for properly in NTokenApeStaking contracts, limiting user's collateral.

Opyn Crab Netting

Opyn Crab Netting

42.81 USDC • 1 total finding • Sherlock • ctf_sec

#22

high

checkOrder can be used to modify the other user's nonce arbitrary to make a valid order invalid.

Isomorph

Isomorph

1,125.12 USDC • 2 total findings • Sherlock • ctf_sec

#9

medium

Vault_Synths.sol code does not consider protocol exchange fee when evaluating the Collateral worth

medium

CHANGE_COLLATERAL_DELAY in collateral book is wrongly hardcoded to 200 seconds instead of 2 days

Redacted Cartel contest

Redacted Cartel contest

2,791.95 USDC • 6 total findings • Code4rena • ladboy233

#8

high

The 'redeem' related functions are likely to be blocked

high

Malicious Users Can Drain The Assets Of Auto Compound Vault

high

Underlying assets stealing in `AutoPxGmx` and `AutoPxGlp` via share price manipulation

medium

SWAP_ROUTER in AutoPxGmx.sol is hardcoded and not compatible on Avalanche

medium

Assets may be lost when calling unprotected `AutoPxGlp::compound` function

medium

Deposit Feature Of The Vault Will Break If Update To A New Platform

Buffer Finance

Buffer Finance

6.52 USDC • 1 total finding • Sherlock • ctf_sec

#12

medium

Unsafe ERC20 operation when enforcing the return value of the transfer method in BufferBinaryPool

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

1,111.42 USDC • 5 total findings • Code4rena • ladboy233

#19

high

Reentrancy in LiquidStakingManager.sol#withdrawETHForKnow leads to loss of fund from smart wallet.

medium

Dao admin in LiquidStakingManager.sol can rug the registered node operator by stealing their fund in the smart wallet via arbitrary execution.

medium

Incorrect implementation of the ETHPoolLPFactory.sol#rotateLPTokens let user stakes ETH more than maxStakingAmountPerValidator in StakingFundsVault, and DOS the stake function in LiquidStakingManager

medium

dETH / ETH / LPTokenETH can become depegged due to ETH 2.0 reward slashing.

medium

Address.isContract() is not a reliable way of checking if the input is an EOA

Blur Exchange contest

Blur Exchange contest

614.97 USDC • 3 total findings • Code4rena • ladboy233

#9

high

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

medium

Hacked owner or malicious owner can immediately steal all assets on the platform

medium

Yul `call` return value not checked

DODO

DODO

3,442.26 USDC • 1 total finding • Sherlock • ctf_sec

gold

medium

Issue when handling native ETH trade and WETH trade in DODO RouterProxy#externalSwap

LooksRare Aggregator contest

LooksRare Aggregator contest

36.34 USDC • Code4rena • ladboy233

#24

SIZE contest

SIZE contest

182.57 USDC • 1 total finding • Code4rena • ctf_sec

#20

medium

Solmate's ERC20 does not check for token contract's existence, which opens up possibility for a honeypot attack

SIZE contest

SIZE contest

14.14 USDC • 2 total findings • Code4rena • ladboy233

#40

medium

Attacker may DOS auctions using invalid bid parameters

medium

Incompatibility with fee-on-transfer/inflationary/deflationary/rebasing tokens, on both base tokens and quote tokens, with varying impacts

Debt DAO contest

Debt DAO contest

61.35 USDC • Code4rena • ctf_sec

#51

Debt DAO contest

Debt DAO contest

48.81 USDC • 1 total finding • Code4rena • ladboy233

#53

medium

Variable balance ERC20 support

Sense

Sense

4,477.93 USDC • 4 total findings • Sherlock • ctf_sec

silver

high

A malicious early user/attacker can manipulate the share to take an unfair share of future users' deposits when maturity is not set.

medium

Hacker can call approve function to approve malicious contract to spend token in RollerPeriphery.sol

medium

Math rounding in AutoRoller.sol is not ERC4626-complicant: previewWithdraw should round up.

medium

AutoRoller.sol#roll can revert if lastSettle is zero because solmate ERC4626 deposit revert if previewDeposit returns 0

Float Capital

Float Capital

1,771.65 USDC • 1 total finding • Sherlock • ctf_sec

bronze

medium

Decimal conversion accounting issue in MarketCore#_processAllBatchedEpochActions

Chainlink Staking contest

Chainlink Staking contest

773.95 USDC • Code4rena • ladboy233

#15

Oct '22

Rage Trade

Rage Trade

1,884.42 USDC • 2 total findings • Sherlock • ctf_sec

#5

medium

A malicious early user/attacker can manipulate the pricePerShare to take an unfair share of future users' deposits

medium

RebalanceHedge can revert if there is underflow in DnGmxSeniorVault.sol#availableBorrow, blocking withdraw and deposit in JuniorVault

zkSync v2 contest

zkSync v2 contest

250.77 USDC • Code4rena • ctf_sec

#8

zkSync v2 contest

zkSync v2 contest

250.77 USDC • Code4rena • ladboy233

#8

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

267.17 USDC • 1 total finding • Code4rena • ctf_sec

#19

medium

Pausing `WardenPledge` contract, which takes effect immediately, by its owner can unexpectedly block pledge creator from calling `closePledge` or `retrievePledgeRewards` function

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

32.52 USDC • 1 total finding • Code4rena • ladboy233

#29

medium

Owner can transfer all ERC20 reward token out using function recoverERC20

Inverse Finance contest

Inverse Finance contest

343.35 USDC • 2 total findings • Code4rena • ladboy233

#27

medium

Avoidable misconfiguration could lead to INVEscrow contract not minting xINV tokens

medium

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Illuminate

Illuminate

550.61 USDC • 2 total findings • Sherlock • ctf_sec

#14

high

Redeem function for Swivel, Yield, Element, Pendle, APWine, Tempus and Notional protocols and Sense missing unpaused modifier in Redeemer.sol

high

IMPORTANT: User can mint arbitrary amount of principle token by passing invalid parameter in the Lender.sol#mint because Safe.transferFrom(IERC20(principal), msg.sender, address(this), a) does not check IERC20 code size.

Astaria

Astaria

851.38 USDC • 5 total findings • Sherlock • ctf_sec

#11

high

Lack of access control in LienToken.sol#_deleteLienPosition

high

AstariaRouter.sol#getProtocolFee division by zero, affecting new loan origination from VaultImplementation.sol#commitToLien

high

Lack of access control in PublicVault.sol#transferWithdrawReserve let user call transferWithdrawReserve() multiple times to modify withdrawReserve

medium

An early user can manipulate the price per share and profit from late users' deposits In the vault.

medium

VaultImplementation#_validateCommitment signature commit proof message can be reused / replayed because the lack of nonce check

NFTPort

NFTPort

252.99 USDC • 2 total findings • Sherlock • ctf_sec

#8

medium

Owner can set royaltiesBasisPoints more than 10000 (charge more than 100% of the royalty fee) in ERC1155NFTProduct.sol and ERC721NFTProduct.sol

medium

Nonce is missing the signature schema in Factory.sol so signature can be reused.

Holograph contest

Holograph contest

112.29 USDC • 2 total findings • Code4rena • ctf_sec

#29

medium

Wrong slashing calculation rewards for operator that did not do his job

medium

Bond tokens (HLG) can get permanently stuck in operator

3xcalibur contest

3xcalibur contest

135.64 USDC • Code4rena • ctf_sec

#24

Holograph contest

Holograph contest

2,709.47 USDC • 3 total findings • Code4rena • ladboy233

#5

high

Failed job can't be recovered. NFT may be lost.

medium

Implementation code does not align with the business requirement: Users are not charged with withdrawn fee when user unbound token in HolographOperator.sol

medium

Bad source of randomness

3xcalibur contest

3xcalibur contest

661.89 USDC • Code4rena • ladboy233

#11

Juicebox contest

Juicebox contest

1,210.97 USDC • 2 total findings • Code4rena • ladboy233

#10

high

Outstanding reserved tokens are incorrectly counted in total redemption weight

medium

The tier setting parameter are unsafely downcasted from type uint256 to type uint80 / uint48 / uint40 / uint16

Union Finance

Union Finance

2,368.15 USDC • 6 total findings • Sherlock • ctf_sec

#4

medium

AssetManager.sol#rebalance can revert if single moneyMarket.withdrawAll revert / AaveV3Adapter.sol#withdrawAll revert if withdrawAmount is 0, and revert rebalancing transaction.

medium

UserManager.sol#debtWriteOff may be not publicly callable after the loan is overdue by overdue blocks + maxOverdueBlocks

medium

More granular control of the pause is needed for each money market because deposit and withdrawal can be guaranteed to revert if the underlying money market is paused or has high utilization rate

medium

Unbounded loop in registerMemeber.sol when register new member can consume all the gas and revert transaction.

medium

AaveV3Adapter.sol withdraw function call return amount is not properly handled, which affecting unstaking and rebalance operation

medium

Unsafe downcasting arithmetic operation in UserManager related contract and in UToken.sol

Trader Joe v2 contest

Trader Joe v2 contest

0.98 USDC • Code4rena • ladboy233

#27

Merit Circle

Merit Circle

51.40 USDC • 1 total finding • Sherlock • ctf_sec

#12

medium

A large amount of reward will be stucked in the TimeLockPool.sol if _escrowPool is address(0) and not set up.

The Graph L2 bridge contest

The Graph L2 bridge contest

5,676.97 USDC • 1 total finding • Code4rena • ladboy233

silver

medium

initialize function in L2GraphToken.sol, BridgeEscrow.sol, L2GraphTokenGateway.sol, L1GraphTokenGateway.sol can be invoked multiple times from the implementation contract.

Blur Exchange contest

Blur Exchange contest

531.64 USDC • 3 total findings • Code4rena • ladboy233

#14

high

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

medium

Hacked owner or malicious owner can immediately steal all assets on the platform

medium

Yul `call` return value not checked

Mycelium

Mycelium

1,798.20 USDC • 5 total findings • Sherlock • ctf_sec

gold

high

A malicious early user/attacker can manipulate the vault share to take an unfair share of future users' deposits

medium

totalSupply() can be maliciously inflated and manipulated, User may lose their token and not get share minted in Vault.sol#deposit when convertToShares return 0

medium

Admin cannot pause deposit when the deposit function is guaranteed to revert

medium

Duplicated plugin contract address is allowed, leading to not-removeable plugin and affect token withdraw and deposit

medium

_withdrawFromPlugin(pluginAddr, IPlugin(pluginAddr).balance()) can fail if plugin has no balance because AAVE does not allow withdraw 0 token balance, result in not-removeable plugin

Sep '22

Knox Finance

Knox Finance

5,290.25 USDC • 3 total findings • Sherlock • ctf_sec

#4

high

_previewWithdraw function in AuctionInternal.sol has unbounded gas consumption loop and can block user from withdraw

medium

Lack of price freshness check in PricerInternal.sol#_latestAnswer64x64() allows a stale price or zero price to be used

medium

processAuction() in VaultAdmin.sol can be called multiple times by keeper if the auction is canceled.

QuickSwap and StellaSwap contest

QuickSwap and StellaSwap contest

111.57 USDC • 1 total finding • Code4rena • ladboy233

#24

medium

A "FrontRunning attack" can be made to the `initialize` function

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

1,134.47 USDC • 3 total findings • Code4rena • ladboy233

#6

medium

Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter

medium

frxETH can be depegged due to ETH staking balance slashing

medium

removeValidator() and removeMinter() may fail due to exceeding gas limit

VTVL contest

VTVL contest

29.04 USDC • Code4rena • ladboy233

#60

Art Gobblers contest

Art Gobblers contest

1,913.41 USDC • 1 total finding • Code4rena • ladboy233

#12

high

Can Recover Gobblers Burnt In Legendary Mint

Harpie

Harpie

153.24 USDC • 1 total finding • Sherlock • ladboy233

#12

medium

Using outdated openzeppelin package version can result in improper Verification of Cryptographic Signature in ECDSA.recover

Y2k Finance contest

Y2k Finance contest

206.5 USDC • 3 total findings • Code4rena • ladboy233

#31

high

Incorrect handling of pricefeed.decimals()

high

Users who deposit in one vault can lose all deposits and receive nothing when counterparty vault has no deposits

medium

Different Oracle issues can return outdated prices

PartyDAO contest

PartyDAO contest

1,858.14 USDC • 1 total finding • Code4rena • ladboy233

#9

high

A majority attack can steal precious NFT from the party by crafting and chaining two proposals

Notional

Notional

6,604.95 USDC • 3 total findings • Sherlock • ctf_sec

#4

medium

stakingContext.auraBooster.deposit boolean return value not handled in Boosted3TokenPoolUtils.sol

medium

stakingContext.auraRewardPool.withdrawAndUnwrap boolean return value not handled in Boosted3TokenPoolUtils.sol and TwoTokenPoolUtils.sol

medium

getGetAmplificationParameter() precision is not used, which result in accounting issue in MetaStable2TokenAuraHelper.sol and in Boosted3TokenAuraHelper.sol

FEI and TRIBE Redemption contest

FEI and TRIBE Redemption contest

34.5 USDC • Code4rena • ladboy233

#10

Nouns Builder contest

Nouns Builder contest

602.47 USDC • 2 total findings • Code4rena • ladboy233

#33

medium

`Token:mint`: infinite loop if the founders' shares sum up to 100

medium

Tokens without properties can be minted and cannot be rendered

Aug '22

Sentiment

Sentiment

3.50 USDC • 1 total finding • Sherlock • ladboy233

#26

medium

The chainlink oracle data to determine the collateral worth may be outdated because a invalid timestamp is used to check if the oracle data is up-to-date.

Olympus DAO contest

Olympus DAO contest

601.72 USDC • 1 total finding • Code4rena • ladboy233

#30

medium

OlympusGovernance#executeProposal: reentrancy attack vulnerable function

Nouns DAO contest

Nouns DAO contest

52.13 USDC • Code4rena • ladboy233

#35

FIAT DAO veFDT contest

FIAT DAO veFDT contest

187.02 USDC • 1 total finding • Code4rena • ladboy233

#23

medium

Unsafe casting from int128 can cause wrong accounting of locked amounts

Fraxlend (Frax Finance) contest

Fraxlend (Frax Finance) contest

67 USDC • Code4rena • ladboy233

#56

Foundation Drop contest

Foundation Drop contest

104.69 USDC • 1 total finding • Code4rena • ladboy233

#21

medium

Possible to bypass saleConfig.limitPerAccount

Mimo August 2022 contest

Mimo August 2022 contest

106.78 USDC • Code4rena • ladboy233

#34

Jul '22

Golom contest

Golom contest

21.32 USDC • Code4rena • ladboy233

#89

Yield Witch v2 contest

Yield Witch v2 contest

41.28 USDC • Code4rena • ladboy233

#34

Jun '22

Putty contest

Putty contest

21.17 USDC • Code4rena • ladboy233

#86

Canto v2 contest

Canto v2 contest

2,842.76 USDC • 3 total findings • Code4rena • ladboy233

bronze

high

Oracle periodSize is very low allowing the TWAP price to be easily manipulated

high

Underlying asset price oracle for CToken in BaseV1-periphery is inaccuarte

medium

Stableswap - Deadline do not work

Yieldy contest

Yieldy contest

79.87 USDC • Code4rena • ladboy233

#53

Illuminate contest

Illuminate contest

798.19 USDC • 2 total findings • Code4rena • ladboy233

#18

high

Able to mint any amount of PT

high

Division Before Multiplication Can Lead To Zero Rounding Of Return Amount