https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/4c31e1db-3711-48d6-9a68-866b3de4ac33.png

dobrevaleri

Security Researcher

Web3 Security Researcher | Intern @PashovAuditGrp

High

1

Solo

38

Total

Medium

41

Total

$12.06K

Total Earnings

#508 All Time

26x

Payouts

gold

2x

1st Places

silver

2x

2nd Places

bronze

2x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Hats Finance

May '25

Usual ETH0

Usual ETH0

4,810 USDC • 1 total finding • Sherlock • dobrevaleri

gold

medium

Operation sequence in redemption process allows protocol undercollateralization

Native Smart Contract V2

Native Smart Contract V2

1,090.26 USDC • Sherlock • dobrevaleri

#12

Findings not publicly available for private contests.

Mar '25

Symmio, Staking and Vesting

Symmio, Staking and Vesting

0.00 USDC • 1 total finding • Sherlock • dobrevaleri

#18

medium

Unrestricted `notifyRewardAmount` function allows reward manipulation

Feb '25

THORWallet

THORWallet

0.35 USDC • 2 total findings • Code4rena • dobrevaleri

#8

high

MergeTgt has no handling if TGT_TO_EXCHANGE is exceeded during the exchange period

medium

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Rova

Rova

0.04 USDC • 1 total finding • Sherlock • dobrevaleri

bronze

medium

Incorrectly using delta currency amount instead of delta token amounts in `updateParticipaion()`

Core Contracts

Core Contracts

334.24 usdc • 33 total findings • CodeHawks • dobrevaleri

#65

high

RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

high

Reward manipulation vulnerability in StabilityPool

high

Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service

high

RToken's transfer function lead to loss of funds due to incorrect math

high

Users can borrow more assets than they have deposited as collateral

high

NFTs Get Permanently Locked in Stability Pool After Liquidation

high

Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance

high

Ownership Parameter Mismatch in LendingPool’s Vault Withdrawal Logic

high

Untracked Direct Fee Transfers from RAACToken to FeeCollector Break Fee Distribution System

high

Ineffective Time-Weighted Average Implementation in Fee Distribution

medium

[H-2] Lack of Emergency Pause in `BaseGauge::stake` and `BaseGauge::withdraw

medium

Incorrect utilization rate forces protocol to issue maximum rewards indefinitely

medium

LendingPool deposits do not work with CurveVault due to lack of funds

medium

LendingPool::getNormalizedIncome() returns stale liquidity index

medium

There is no logic checking for RAACNFT price staleness before minting it

medium

`RToken::calculateDustAmount` are incorrectly calculated, leading to not be able to transfer the accrued dust amount

medium

LendingPool.getUserDebt returns outdated value and can lead to liquidation failure

medium

Emergency revoke in RAACReleaseOrchestrator will freeze revoked RAAC tokens in orchestrator

medium

User may not be able to increase the amount of locked RAAC tokens

medium

Due to not counting the assets stake on crvVault the reported amount of dust will not be correct

medium

Unrestricted proposal cancellation allows governance process manipulation

medium

Failure to Withdraw Liquidity to RToken.sol Before Changing Curve Vault Address

medium

Cordinated group of attacker can artificially lower quorum threshold during active proposals forcing malicious proposals to pass without true majority support.

medium

RAACToken burns less tokens than expected when feeCollector is unset

medium

RAACNFT wrongly suppose crvUSD to be equal to 1 dollar

medium

Inaccurate interest-rate and liquidity calculations due to omitted `updateInterestRatesAndLiquidity()` call in `setProtocolFeeRate()`

low

Canceled vote still get voted on and accumulate voting power in Goverance.sol

low

Deposits/Withdrawals can be DOS'ed if crvVault::withdraw produces any losses

low

`LendingPool` yield generated in curve vault is lost and cannot be withdrawn by users

low

Wrong event emitted in `LendingPool::_repay`

low

Inconsistent time boundary check in `Governance::state` and `Governanane::castVote`

low

Missing whenNotPaused modifier on withdraw function allows token withdrawals during emergency

low

Outdated usage index in view functions leads to incorrect debt calculations

Jan '25

IQ AI

IQ AI

243.25 USDC • 1 total finding • Code4rena • dobrevaleri

#13

high

Adversary can win proposals with voting power as low as 4%

daao-contracts

daao-contracts

89.92 USDC • 5 total findings • Cantina • dobrevaleri

#40

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

Plaza Finance

Plaza Finance

311.95 USDC • 7 total findings • Sherlock • dobrevaleri

#26

high

Auction will never succeed due to wrong check

high

Funds might remain locked in `BalancerRouter` when depositing in Balancer pool

high

The fee is double charged on every `create` or `redeem`

medium

Low TVL and high Leverage Supply will DoS the redeem of Leverage tokens

medium

Balancer LP tokens might be locked inside `BalancerRouter`

medium

Incomplete handling of failed auctions

medium

Redeeming all leverage tokens, will DoS their creation

Aave v3.3

Aave v3.3

529.42 USDC • Sherlock • dobrevaleri

#44

Dec '24

Ethos Reputation Market Fix Review Contest

Ethos Reputation Market Fix Review Contest

144.76 USDC • 1 total finding • Sherlock • dobrevaleri

silver

medium

Rounding will lead to broken invariant.

Alchemix Transmuter

Alchemix Transmuter

513.57 op • 3 total findings • CodeHawks • dobrevaleri

#10

medium

Incorrect Total Assets Calculation in _harvestAndReport Leading to Share Value Manipulation and Irredeemable Assets

medium

not adding `claimable` balance to the total assets in `_harvestAndReport` can cause losses.

low

Old router retains token allowance after update

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

130.79 USDC • 4 total findings • Sherlock • dobrevaleri

#22

high

Reputation market will be insolvent, due to incorrect increase of market funds when buying.

high

Incorrect fee calculation will overcharge users buying votes.

medium

Incorrect calculation of fees in `EthosVouch` will cause partial loss of user's principle

medium

Missing slippage protection on `sellVotes()`

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • dobrevaleri

gold

high

Attacker can steal tokens intended for KYC-verified address

Telcoin Update #2

Telcoin Update #2

179.13 USDC • Sherlock • dobrevaleri

#14

Euro Dollar

Euro Dollar

299.9 USDC • 1 total finding • Hats • dobrevaleri

#5

high

Users using `withdraw,` will receive more funds than the ones using `redeem`

Oct '24

Ethos Network Social Contracts

Ethos Network Social Contracts

1,485.02 USDC • 2 total findings • Sherlock • dobrevaleri

#4

medium

Deleted address will still have full control over the profile.

medium

Upgrades might cause storage collision

Gamma Brevis Rewarder

Gamma Brevis Rewarder

131.06 OP • 1 total finding • Sherlock • dobrevaleri

bronze

high

Users are unable to claim in more than 1 epoch.

stakeup-bloomv2

stakeup-bloomv2

114.5 USDC • 4 total findings • Cantina • dobrevaleri

#51

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Sep '24

Saffron Lido Vaults

Saffron Lido Vaults

1,422.84 USDC • 1 total finding • Sherlock • dobrevaleri

silver

high

Unaccounted protocol fee will lead to funds getting locked

Aug '24

Rumpel Point Tokenization Protocol

Rumpel Point Tokenization Protocol

2.76 USDC • Sherlock • dobrevaleri

#29

Fjord Token Staking

Fjord Token Staking

0.19 USDC • 1 total finding • CodeHawks • dobrevaleri

#20

medium

`FjordAuction` incorrect `block.timestamp` check allows users to bid after calling `auctionEnd` to claim more tokens than they should

Winnables Raffles

Winnables Raffles

5.17 USDC • 2 total findings • Sherlock • dobrevaleri

#31

high

Attacker can abuse `cancelRaffle` to DoS the protocol

high

`refundPlayers()` will prevent Admin from withdrawing assets

Tadle

Tadle

0.00 USDC • 1 total finding • CodeHawks • dobrevaleri

#177

high

TokenManager - Unlimited withdraw

Jul '24

TraitForge

TraitForge

0.02 USDC • 4 total findings • Code4rena • dobrevaleri

#87

high

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

high

The maximum number of generations is infinite

medium

Pause and unpause functions are inaccessible

medium

Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`