https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/36790715-b4d3-4573-afdc-4184cc0b26eb.jpg

dimulski

Security Researcher

Web3 Security Researcher 🕵️ | 40+ H/M vulnerabilities found 🎩 | DM for audits 💼

Contact Me

High

1

Solo

64

Total

Medium

2

Solo

57

Total

$18.96K

Total Earnings

#370 All Time

26x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

regular

8x

Top 10

All

Sherlock

Code4rena

Cantina

CodeHawks

Nov '24

Debita Finance V3

Debita Finance V3

3,253.74 USDC • 14 total findings • Sherlock • dimulski

#4

high

When a buyOrder is completed the NFT will be locked in the contract forever

high

Loans with TaxTokenReceipts as collateral can't be liquidated

high

The TaxTokensReceipt NFTs can't be utilized by a buy order

medium

The MixOracle::getPrice() function will revert for some pairs, and return completely incorrect price in the rest of the cases

medium

Last lenders to a defaulted loans which utilizes TaxTokensReceipt NFT as collateral, won't be able to withdraw their collateral.

medium

When a loan is extended a lender may loose part of the interest he is owed

medium

In certain scenarios borrowers will pay more fees for extending their loans than they are supposed to.

medium

Lender may loose part of the interest he has accrued if he makes his lend offer perpetual after a loan has been extended by the borrower

medium

Unused parameters in DebitaV3Loan::extendLoan() results in the function reverting in certain cases

medium

Lenders and Borrowers that should receive incentives for creating orders that are matched, won't receive incentives in certain cases

medium

A borrower may pay more interest that he has specified, if orders are matched by a malicious actor

medium

Cancelation and matching of lend orders can be dossed

medium

If no borrow and lend orders are matched during an epoch, the rewards for that epoch will be locked in the contract forever

medium

No restrictions in DebitaIncentives.sol allows malicious users to farm rewards by creating and matching lend and borrow orders with 0 APR

Oct '24

Dria

Dria

12.80 USDC • 4 total findings • CodeHawks • dimulski

#51

high

Subtraction in `variance()` will revert due to underflow

medium

Platform fees withdrawal will sweep oracle agents earned fees

medium

Request responses and validations can be mocked leading to extraction of fees and/or forcing other generators to lose their fees by making them outliers

medium

Users can list assets with price < 1 ERC20 (ETH, WETH), leading to potential DoS vulnerability.

stakeup-bloomv2

stakeup-bloomv2

920.21 USDC • 5 total findings • Cantina • dimulski

#13

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

Sep '24

Boost Core Incentive Protocol

Boost Core Incentive Protocol

86.00 USDC • 3 total findings • Sherlock • dimulski

#16

high

Creators of boosts can't withdraw the funds they deposit into boosts

medium

A boost can be created in such a way that the Boost protocol doesn't receive any fees.

medium

The protocol won't work correctly with fee on transfer tokens

Flayer

Flayer

434.83 USDC • 3 total findings • Sherlock • dimulski

#33

high

The formula for charging interest on reserved assets, charges much more than it should

high

Malicious users that reserve NFTs, can adjust their protectedPositions, and pay much less interest rate that they should

medium

Users who modify their listings will pay more tax than they should, when modifying only the floorMultiplier

Aug '24

Cork Protocol

Cork Protocol

3,723.83 USDC • 10 total findings • Sherlock • dimulski

silver

high

LV token holders receive proportional fees, when they shouldn't

high

If not all users have requested to redeem their LV tokens, some PA tokens will be locked in the protocol forever

high

RA amount is not updated properly in Vault::redeemEarlyLv()

high

RA amount is not updated properly in Psm::redeemRaWithDs()

high

FlashSwapRouter::emptyReserve() and FlashSwapROuter::emptyReservePartial() functions return incorrect values

high

Psm::repurchase() doesn't update the RA accounting correctly

medium

The UUPS proxie standard is implemented incorrectly, making the protocol not upgradeable

medium

Functions that should be called trough a proxy contract implement the notDelegated modifier

medium

The ModuleCore::issueNewDs() function will revert if the totalSupply of LV tokens is 0

medium

The protocol claims to support rebasing tokens, however accrued rewards will be lost

Winnables Raffles

Winnables Raffles

288.00 USDC • 6 total findings • Sherlock • dimulski

#6

high

Creation of raffles can be DOSed, making the whole protocol obsolete

high

A malicious user can lock the prize for winning a raffle provided by the admin when a raffle is canceled

high

If a raffle has been canceled and users were refunded their AVAX, the admin won't be able to withdraw any AVAX accumulated from ticket sales

medium

An admin can guarantee that an address he controls is the winner of the raffle

medium

Admin can set the winner of the raffle to an address of his choosing

medium

Roles can't be revoked

Jul '24

TraitForge

TraitForge

223.19 USDC • 9 total findings • Code4rena • dimulski

#20

high

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

high

Number of entities in generation can surpass the 10k number

high

Wrong minting logic based on total token count across generations

medium

Funds can be locked indefinitely in NukeFund.sol

medium

There is no slippage check in the `nuke()` function.

medium

Forger Entities can forge more times than intended

medium

Pause and unpause functions are inaccessible

medium

NFTs mature too slowly under default settings.

medium

Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`

Munchables

Munchables

627.87 USDC • 5 total findings • Code4rena • dimulski

#4

high

Single plot can be occupied by multiple renters

high

Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot

high

[H-01] Miscalculation in `_farmPlots` function could lead to a user unable to unstake all NFTs

high

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

medium

Users can farm on zero-tax land if the landlord locked tokens before the LandManager deployment

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

51.25 USDC • 5 total findings • Sherlock • dimulski

#36

high

Voting for a pool will always revert

high

Rewards are calculated as distributed even if there are no voters, locking the rewards forever

high

Users can double vote

medium

Adding genuine BribeRewarder contract instances to a pool in order to incentivize users can be DOSed

medium

Potential issues with the ``BribeRewarder.sol`` contract, when the reward token is a Weird ERC20 token

Jun '24

Vultisig

Vultisig

10.42 USDC • 1 total finding • Code4rena • dimulski

#30

medium

Transfer of ILOPool NFT token to different account allows for users to bypass the pool's `maxCapPerUser` invariant

Apr '24

NOYA

NOYA

164.56 USDC + NOYA stars • 9 total findings • Code4rena • dimulski

#39

high

`AccountingManager::resetMiddle` will not behave as expected

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

medium

Withdrawals in AccountManager are prone to DOS attacks.

medium

`totalAssets()`, and thus `convertToShares()` and `convertToAssets()`, may revert, in violation of ERC-4626

medium

Attacker can increase the length of `withdrawQueue` by withdrawing 0 amount of tokens frequently

medium

AccountingManager has no correct implementations of the core ERC-4626 functions `deposit`, `mint`, `withdraw` and `redeem`

medium

`maxDeposit`, `maxMint`, `maxWithdraw`, and `maxRedeem` functions do not return 0 when they should

medium

`AccountingManager` contract's `previewDeposit`, `previewMint`, `previewWithdraw`, and `previewRedeem` functions are not compliant with EIP-4626 standard

medium

Dust donation might DOS all connectors to create new holding positions, by preventing removing existing holding positions

DYAD

DYAD

683.26 USDC • 8 total findings • Code4rena • dimulski

#12

high

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

high

Inability to perform partial liquidations allows huge positions to accrue bad debt in the system

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

high

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

medium

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

medium

No incentive to liquidate small positions could result in protocol going underwater

medium

Liquidating positions with bounded Kerosen could be unprofitable for liquidators

Zivoe

Zivoe

499.61 USDC • 5 total findings • Sherlock • dimulski

#25

high

Revoking user's vesting doesn't remove all of the user's votes

high

Revoking user vesting DOSes the last withdrawers

high

Rewards in the different ZivoeRewards implementations can be diluted by a malicious user

high

If the reward token in ZivoeRewards and ZivoeRewardsVesting is a token with less than 18 decimals, rewards may get stuck in the contract

medium

Rewards are calculated as distributed even if there are no stakers, locking the rewards forever

Mar '24

Axis Finance

Axis Finance

2,545.76 USDC • 3 total findings • Sherlock • dimulski

#6

high

Incorrect setting of lotId, makes the whole protocol obsolete

high

Overflow in curate() function, results in permanently stuck funds

medium

Unsold tokens from a FPAM auction, will be stuck in the protocol, after the auction concludes

Feb '24

Spectra

Spectra

107.43 USDC • 1 total finding • Code4rena • dimulski

#13

medium

PrincipalToken is not ERC-5095 compliant

AI Arena

AI Arena

144.03 USDC • 6 total findings • Code4rena • dimulski

#36

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

high

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

high

FighterFarm:: reroll won't work for nft id greator than 255 due to input limited to uint8

medium

Can mint NFT with the desired attributes by reverting transaction

Jan '24

LooksRare YOLO

LooksRare YOLO

17.38 USDC • 1 total finding • Sherlock • dimulski

#7

high

A malicious user can game the system to increase his chances of winning a round

Curves

Curves

122.89 USDC • 7 total findings • Code4rena • dimulski

#40

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

medium

Protocol and referral fee would be permanently stuck in the Curves contract when selling a token

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

medium

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

Dec '23

The Standard

The Standard

3,873.46 USDC • 5 total findings • CodeHawks • dimulski

gold

high

Rewards can be drained because of lack of access control

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

high

Malicious users can honeypot other users by minting all the ``EURO`` tokens that the vault's ``collateralRate`` allows right before sale

low

`costInEuros` calculation will incur precision loss due to division before multiplication

low

Lack of Minimum Amount Check in `SmartVaultV3::mint`, `SmartVaultV3::burn`, and `SmartVaultV3::swap` Can Result in Loss of Fees

Revolution Protocol

Revolution Protocol

51.14 USDC • 1 total finding • Code4rena • dimulski

#52

medium

The quorumVotes can be bypassed

Nov '23

Nouns Builder

Nouns Builder

21.94 USDC • 1 total finding • Sherlock • dimulski

#9

high

The implementation of ``updateFounders()`` introduces different vulnerabilities based on the scenario it is called in.

Oct '23

NextGen

NextGen

1,063.79 USDC • 3 total findings • Code4rena • dimulski

#11

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

medium

getPrice `salesOption` 2 can round down to the lower barrier, skipping the last time period

medium

Auction winner can prevent payments via `safeTransferFrom` callback

Aug '23

Dopex

Dopex

0.07 USDC • 1 total finding • Code4rena • dimulski

#126

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

28.40 USDC • 6 total findings • CodeHawks • dimulski

#99

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

Borrower can use Refinance to cancel auctions so they can extend their loan indefinitely

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Using forged/fake lending pools to steal any loan opening for auction

high

Stealing any loan opening for auction through others' lending pool

high

Token spending by Uniswap router doesn't get approved

Jun '23

Hubble Exchange

Hubble Exchange

4.58 USDC • 1 total finding • Sherlock • dimulski

#29

medium

getUnderlyingPrice may return stale data