https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_1.png

dimah7

Security Researcher

Contact Me

High

16

Total

Medium

1

Solo

24

Total

$7.82K

Total Earnings

#642 All Time

22x

Payouts

silver

1x

2nd Places

regular

5x

Top 10

regular

8x

Top 25

All

Sherlock

Code4rena

Cantina

CodeHawks

May '25

Extrafi XLend

Extrafi XLend

3,418.91 OP • Sherlock • dimah7

#4

Findings not publicly available for private contests.

Apr '25

mighty-contracts

mighty-contracts

17.67 USDC • 4 total findings • Cantina • cantinaresearcher19

#61

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

Mar '25

Symmio, Staking and Vesting

Symmio, Staking and Vesting

0.00 USDC • 1 total finding • Sherlock • dimah7

#18

medium

Anyone can add fraction rewards and slow down the reward per token

Feb '25

Usual Labs

Usual Labs

128.12 USDC • Sherlock • dimah7

#28

Core Contracts

Core Contracts

1,454.40 usdc • 17 total findings • CodeHawks • dimah7

#8

high

RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

high

Users can borrow more assets than they have deposited as collateral

high

Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle

high

Ownership Parameter Mismatch in LendingPool’s Vault Withdrawal Logic

high

Incorrect Debt Token Accounting Due to Multiple Scaling Issues

medium

Incorrect utilization rate forces protocol to issue maximum rewards indefinitely

medium

LendingPool deposits do not work with CurveVault due to lack of funds

medium

`RToken::calculateDustAmount` are incorrectly calculated, leading to not be able to transfer the accrued dust amount

medium

Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator

medium

The earned yield from the Curve vault can never be utilized when withdrawing or borrowing

medium

When the prime rate is updated by the oracle, the values of the sub-rates are not ajdusted accordingly, which can cause loss of assets for borrowers

medium

reserve.totalUsage variable is not properly updated

medium

Unnecessary Vault Withdrawals Due to Unchecked User Withdrawal Amounts

medium

Interest rates will be incorrectly updated, which will result in higher borrowing costs for borrowers

low

`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types

low

Wrong event emitted in `LendingPool::_repay`

low

`collateralLiquidated` value is always 0 when emitted in the `LiquidationFinalized` event

Jan '25

daao-contracts

daao-contracts

0.82 USDC • 1 total finding • Cantina • cantinaresearcher19

#118

high

Finding not yet public.

Aave v3.3

Aave v3.3

86.96 USDC • Sherlock • dimah7

#86

Ignite

Ignite

15.29 usdc • CodeHawks • dimah7

#21

Dec '24

Autonomint Colored Dollar V1

Autonomint Colored Dollar V1

0.33 OP • 2 total findings • Sherlock • dimah7

#65

high

Core functions can be DoS-ed, which will lead to loss of funds for CDS owners

high

Treasury reserves can be drained

Nov '24

Debita Finance V3

Debita Finance V3

0.47 USDC • 1 total finding • Sherlock • dimah7

#56

medium

A malicious user can DoS the matching of offers

Oct '24

Gamma Brevis Rewarder

Gamma Brevis Rewarder

314.34 OP • 1 total finding • Sherlock • dimah7

silver

medium

Leftover amounts from rounding in reward distribution will be stuck forever in the `GammaRewarder`

stakeup-bloomv2

stakeup-bloomv2

9.4 USDC • 1 total finding • Cantina • cantinaresearcher19

#96

medium

Finding not yet public.

Sep '24

Liquid Staking

Liquid Staking

1,478.57 USDC • 1 total finding • CodeHawks • dimah7

#8

medium

Vault fee receivers can conditionally block rewards distribution flow

Royco Protocol

Royco Protocol

53.53 USDC • 3 total findings • Cantina • cantinaresearcher19

#48

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Aug '24

Phi

Phi

12.56 USDC • 1 total finding • Code4rena • dimah7

#44

medium

Attacker can DOS user from selling shares of a credId

Winnables Raffles

Winnables Raffles

30.04 USDC • 1 total finding • Sherlock • dimah7

#24

medium

Admin can steal funds from ticket sales, and rug raffle participants

Sentiment V2

Sentiment V2

114.84 USDC • 2 total findings • Sherlock • dimah7

#31

medium

Missing circuit breaker checks for Chainlink price feeds

medium

Super pools can't be paused, in case of an emergency

Tadle

Tadle

3.44 USDC • 3 total findings • CodeHawks • dimah7

#134

high

TokenManager - Unlimited withdraw

high

Native token withdrawal fails until manually approved

high

Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode

Jul '24

TraitForge

TraitForge

0.01 USDC • 2 total findings • Code4rena • dimah7

#88

medium

Pause and unpause functions are inaccessible

medium

Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`

May '24

Beanstalk: The Finale

Beanstalk: The Finale

81.46 USDC • 1 total finding • CodeHawks • dimah7

#34

low

Permit functions will not work with certain tokens

Sablier

Sablier

578.16 USDC • 1 total finding • CodeHawks • dimah7

#10

medium

Use of CREATE method is suspicious of reorg attack

Apr '24

NOYA

NOYA

23.11 USDC + NOYA stars • 1 total finding • Code4rena • dimah7

#77

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`