Security Researcher
Web3 Security Researcher 🕵️ | 40+ H/M vulnerabilities found 🎩 | DM for audits 💼
High
Solo
Total
Medium
Solo
Total
Total Earnings
#370 All Time
Payouts
1st Places
2nd Places
Top 10
All
Sherlock
Code4rena
Cantina
CodeHawks
Nov '24
high
When a buyOrder is completed the NFT will be locked in the contract forever
high
Loans with TaxTokenReceipts as collateral can't be liquidated
high
The TaxTokensReceipt NFTs can't be utilized by a buy order
medium
The MixOracle::getPrice() function will revert for some pairs, and return completely incorrect price in the rest of the cases
medium
Last lenders to a defaulted loans which utilizes TaxTokensReceipt NFT as collateral, won't be able to withdraw their collateral.
medium
When a loan is extended a lender may loose part of the interest he is owed
medium
In certain scenarios borrowers will pay more fees for extending their loans than they are supposed to.
medium
Lender may loose part of the interest he has accrued if he makes his lend offer perpetual after a loan has been extended by the borrower
medium
Unused parameters in DebitaV3Loan::extendLoan() results in the function reverting in certain cases
medium
Lenders and Borrowers that should receive incentives for creating orders that are matched, won't receive incentives in certain cases
medium
A borrower may pay more interest that he has specified, if orders are matched by a malicious actor
medium
Cancelation and matching of lend orders can be dossed
medium
If no borrow and lend orders are matched during an epoch, the rewards for that epoch will be locked in the contract forever
medium
No restrictions in DebitaIncentives.sol allows malicious users to farm rewards by creating and matching lend and borrow orders with 0 APR
Oct '24
high
Subtraction in `variance()` will revert due to underflow
medium
Platform fees withdrawal will sweep oracle agents earned fees
medium
Request responses and validations can be mocked leading to extraction of fees and/or forcing other generators to lose their fees by making them outliers
medium
Users can list assets with price < 1 ERC20 (ETH, WETH), leading to potential DoS vulnerability.
high
high
high
high
medium
Sep '24
high
The formula for charging interest on reserved assets, charges much more than it should
high
Malicious users that reserve NFTs, can adjust their protectedPositions, and pay much less interest rate that they should
medium
Users who modify their listings will pay more tax than they should, when modifying only the floorMultiplier
Aug '24
high
LV token holders receive proportional fees, when they shouldn't
high
If not all users have requested to redeem their LV tokens, some PA tokens will be locked in the protocol forever
high
RA amount is not updated properly in Vault::redeemEarlyLv()
high
RA amount is not updated properly in Psm::redeemRaWithDs()
high
FlashSwapRouter::emptyReserve() and FlashSwapROuter::emptyReservePartial() functions return incorrect values
high
Psm::repurchase() doesn't update the RA accounting correctly
medium
The UUPS proxie standard is implemented incorrectly, making the protocol not upgradeable
medium
Functions that should be called trough a proxy contract implement the notDelegated modifier
medium
The ModuleCore::issueNewDs() function will revert if the totalSupply of LV tokens is 0
medium
The protocol claims to support rebasing tokens, however accrued rewards will be lost
high
Creation of raffles can be DOSed, making the whole protocol obsolete
high
A malicious user can lock the prize for winning a raffle provided by the admin when a raffle is canceled
high
If a raffle has been canceled and users were refunded their AVAX, the admin won't be able to withdraw any AVAX accumulated from ticket sales
medium
An admin can guarantee that an address he controls is the winner of the raffle
medium
Admin can set the winner of the raffle to an address of his choosing
medium
Roles can't be revoked
Jul '24
high
`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`
high
Number of entities in generation can surpass the 10k number
high
Wrong minting logic based on total token count across generations
medium
Funds can be locked indefinitely in NukeFund.sol
medium
There is no slippage check in the `nuke()` function.
medium
Forger Entities can forge more times than intended
medium
Pause and unpause functions are inaccessible
medium
NFTs mature too slowly under default settings.
medium
Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`
high
Single plot can be occupied by multiple renters
high
Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot
high
[H-01] Miscalculation in `_farmPlots` function could lead to a user unable to unstake all NFTs
high
Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds
medium
Users can farm on zero-tax land if the landlord locked tokens before the LandManager deployment
high
Voting for a pool will always revert
high
Rewards are calculated as distributed even if there are no voters, locking the rewards forever
high
Users can double vote
medium
Adding genuine BribeRewarder contract instances to a pool in order to incentivize users can be DOSed
medium
Potential issues with the ``BribeRewarder.sol`` contract, when the reward token is a Weird ERC20 token
Jun '24
Apr '24
high
`AccountingManager::resetMiddle` will not behave as expected
high
`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`
medium
Withdrawals in AccountManager are prone to DOS attacks.
medium
`totalAssets()`, and thus `convertToShares()` and `convertToAssets()`, may revert, in violation of ERC-4626
medium
Attacker can increase the length of `withdrawQueue` by withdrawing 0 amount of tokens frequently
medium
AccountingManager has no correct implementations of the core ERC-4626 functions `deposit`, `mint`, `withdraw` and `redeem`
medium
`maxDeposit`, `maxMint`, `maxWithdraw`, and `maxRedeem` functions do not return 0 when they should
medium
`AccountingManager` contract's `previewDeposit`, `previewMint`, `previewWithdraw`, and `previewRedeem` functions are not compliant with EIP-4626 standard
medium
Dust donation might DOS all connectors to create new holding positions, by preventing removing existing holding positions
high
Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral
high
Inability to perform partial liquidations allows huge positions to accrue bad debt in the system
high
Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine
high
Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply
high
Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults
medium
Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position
medium
No incentive to liquidate small positions could result in protocol going underwater
medium
Liquidating positions with bounded Kerosen could be unprofitable for liquidators
high
Revoking user's vesting doesn't remove all of the user's votes
high
Revoking user vesting DOSes the last withdrawers
high
Rewards in the different ZivoeRewards implementations can be diluted by a malicious user
high
If the reward token in ZivoeRewards and ZivoeRewardsVesting is a token with less than 18 decimals, rewards may get stuck in the contract
medium
Rewards are calculated as distributed even if there are no stakers, locking the rewards forever
Mar '24
Feb '24
high
Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win
high
A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters
high
Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes
high
Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`
high
FighterFarm:: reroll won't work for nft id greator than 255 due to input limited to uint8
medium
Can mint NFT with the desired attributes by reverting transaction
Jan '24
high
Attack to make ````CurveSubject```` to be a ````HoneyPot````
high
Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`
high
Unauthorized Access to setCurves Function
medium
Protocol and referral fee would be permanently stuck in the Curves contract when selling a token
medium
onBalanceChange causes previously unclaimed rewards to be cleared
medium
Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.
medium
If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete
Dec '23
high
Rewards can be drained because of lack of access control
high
Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds
high
Malicious users can honeypot other users by minting all the ``EURO`` tokens that the vault's ``collateralRate`` allows right before sale
low
`costInEuros` calculation will incur precision loss due to division before multiplication
low
Lack of Minimum Amount Check in `SmartVaultV3::mint`, `SmartVaultV3::burn`, and `SmartVaultV3::swap` Can Result in Loss of Fees
Nov '23
Oct '23
Aug '23
Jul '23
high
Sandwich attack to steal all ERC-20 tokens in the Fees contract
high
Borrower can use Refinance to cancel auctions so they can extend their loan indefinitely
high
[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control
high
Using forged/fake lending pools to steal any loan opening for auction
high
Stealing any loan opening for auction through others' lending pool
high
Token spending by Uniswap router doesn't get approved
Jun '23