https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_4.png

datapunk

Security Researcher

Contact Me

High

17

Total

Medium

29

Total

$15.73K

Total Earnings

#447 All Time

17x

Payouts

silver

1x

2nd Places

regular

3x

Top 10

regular

11x

Top 25

All

Sherlock

Code4rena

Mar '23

Y2K

Y2K

117.29 USDC • 2 total findings • Sherlock • datapunk

#50

high

The assignment should be made only if ownerToRollOverQueueIndex[_receiver] == 0

medium

The special case of “_epochBegin == block.timestamp” is undefined

Dec '22

GoGoPool contest

GoGoPool contest

447.46 USDC • 7 total findings • Code4rena • datapunk

#39

high

Inflation of ggAVAX share price by first depositor

high

Hijacking of node operators minipool causes loss of staked funds

medium

Users may not be able to redeem their shares due to underflow

medium

NodeOp can get rewards even if there was an error in registering the node as a validator

medium

slashing fails when node operator doesn't have enough staked `GGP`

medium

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

medium

NodeOp funds may be trapped by a invalid state transition

Nov '22

ParaSpace contest

ParaSpace contest

126.39 USDC • 1 total finding • Code4rena • datapunk

#46

high

Anyone can prevent themselves from being liquidated as long as they hold one of the supported NFTs

Redacted Cartel contest

Redacted Cartel contest

224.74 USDC • 1 total finding • Code4rena • datapunk

#25

medium

Reward tokens mismanagement can cause users losing rewards

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

3,540.15 USDC • 8 total findings • Code4rena • datapunk

#6

high

Giant pools can be drained due to weak vault authenticity check

high

Possibly reentrancy attacks in `_distributeETHRewardsToUserForToken` function

high

`bringUnusedETHBackIntoGiantPool` in `GiantMevAndFeesPool` can be used to steal `LPTokens`

medium

GiantMevAndFeesPool.previewAccumulatedETH function: "accumulated" variable is not updated correctly in for loop leading to result that is too low

medium

smartWallet address is not guaranteed correct. ETH may be lost

medium

Medium: Vaults can be griefed to not be able to be used for deposits

medium

Giant pools cannot receive ETH from vaults

medium

Withdrawing wrong LPToken from GiantPool leads to loss of funds

Blur Exchange contest

Blur Exchange contest

306.21 USDC • 1 total finding • Code4rena • datapunk

#22

high

Direct theft of buyers ETH funds.

LooksRare Aggregator contest

LooksRare Aggregator contest

117.17 USDC • Code4rena • datapunk

#20

Debt DAO contest

Debt DAO contest

40.83 USDC • 2 total findings • Code4rena • datapunk

#54

medium

Mistakenly sent eth could be locked

medium

address.call{value:x}() should be used instead of payable.transfer()

Oct '22

zkSync v2 contest

zkSync v2 contest

2,102.32 USDC • Code4rena • datapunk

#5

Sep '22

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

156.96 USDC • 1 total finding • Code4rena • datapunk

#20

medium

Rewards delay release could cause yields steal and loss

VTVL contest

VTVL contest

315.25 USDC • 1 total finding • Code4rena • datapunk

#19

medium

Two address tokens can be withdrawn by the admin even if they are vested

Y2k Finance contest

Y2k Finance contest

664.72 USDC • 3 total findings • Code4rena • datapunk

#18

high

Depeg event can happen at incorrect price

medium

Oracle is tracked per token instead of per pair, leading to surprise results

medium

Different Oracle issues can return outdated prices

FEI and TRIBE Redemption contest

FEI and TRIBE Redemption contest

33.67 USDC • Code4rena • datapunk

#12

Nouns Builder contest

Nouns Builder contest

205.93 USDC • 3 total findings • Code4rena • datapunk

#59

medium

A proposal can be cancelled by anyone if the proposal has exactly proposalThreshold votes

medium

Founders can receive less tokens that expected

medium

Index out of bounds error when properties length is more than attributes length breaks minting

Aug '22

Olympus DAO contest

Olympus DAO contest

2,234.65 USDC • 5 total findings • Code4rena • datapunk

#11

medium

Inconsistant parameter requirements between `constructor()` and `Set() functions` in `RANGE.sol` and `Operator.sol`.

medium

Inconsistency in staleness checks between OHM and reserve token oracles

medium

TRSRY susceptible to loan / withdraw confusion

medium

Heart::beat() could be called several times in one block if no one called it for a some time

medium

Admin cannot be changed to EOA after deployment

Jun '22

Putty contest

Putty contest

68.3 USDC • Code4rena • datapunk

#70

Illuminate contest

Illuminate contest

5,032.65 USDC • 11 total findings • Code4rena • datapunk

silver

high

Redeemer.redeem() for Element withdraws PT to wrong address.

high

Incorrect implementation of APWine and Tempus `redeem`

high

Unable to redeem from Notional

high

`Redeemer.sol#redeem()` can be called by anyone before maturity, which may lead to loss of user funds

high

Able to mint any amount of PT

high

The lend function for tempus uses the wrong return value of depositAndFix

high

[H-05] Not minting iPTs for lenders in several lend functions

high

Division Before Multiplication Can Lead To Zero Rounding Of Return Amount

medium

Checking yieldBearingToken against u instead of backingToken

medium

sellPrincipalToken, buyPrincipalToken, sellUnderlying, buyUnderlying uses pool funds but pays msg.sender

medium

Sandwich attacks are possible as there is no slippage control option in Marketplace and in Lender yield swaps