https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/5a1e9bd1-ce0e-4abc-b479-6cbfc97a9820.jpg

gzeon

Security Researcher

dev @offchainlabs, initial builders of @arbitrum leaderboard warden & judge @code4rena solidity engineer / security researcher / sybil hunter / investor

Contact Me

High

34

Total

Medium

87

Total

$162.98K

Total Earnings

#59 All Time

84x

Payouts

gold

2x

1st Places

silver

7x

2nd Places

bronze

5x

3rd Places

All

Code4rena

Oct '23

Canto Liquidity Mining Protocol

Canto Liquidity Mining Protocol

4.94 USDC • Code4rena • gzeon

#19

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

41.45 USDC • Code4rena • gzeon

#57

veRWA

veRWA

2,133.21 USDC • 1 total finding • Code4rena • gzeon

#5

medium

Upon IncreaseAmount the lock may not align to the nearest weekly increment

Jul '23

PoolTogether

PoolTogether

215.72 USDC • 1 total finding • Code4rena • gzeon

#42

medium

Attacker can frontrun deployVault to deploy at the same address

Jan '23

Canto Identity Protocol contest

Canto Identity Protocol contest

6,680.61 CANTO • 2 total findings • Code4rena • gzeon

gold

high

Attacker can frontrun a victim's mint+add transaction to steal NFT

medium

Griefing risk in `mint`

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

40.42 USDC • 4 total findings • Code4rena • gzeon

#53

high

Protocol fees can be withdrawn multiple times in `Erc20Quest`

high

Bad implementation in minter access control for `RabbitHoleReceipt` and `RabbitHoleTickets` contracts

medium

Users may not claim Erc1155 rewards when the Quest has ended

medium

DOS risk if enough tokens are minted in Quest.claim can lead, at least, to transaction fee lost

Ondo Finance contest

Ondo Finance contest

311.49 USDC • 1 total finding • Code4rena • gzeon

#13

medium

KYCRegistry is susceptible to signature replay attack.

Dec '22

Caviar contest

Caviar contest

750.98 USDC • 1 total finding • Code4rena • gzeon

#15

high

Reentrancy in buy function for ERC777 tokens allows buying funds with considerable discount

Tigris Trade contest

Tigris Trade contest

12.84 USDC • 2 total findings • Code4rena • gzeon

#62

medium

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

medium

Chainlink price feed is not sufficiently validated and can return stale price

Escher contest

Escher contest

108.58 USDC • 3 total findings • Code4rena • gzeon

#32

high

`saleReceiver` and `feeReceiver` can steal refunds after sale has ended

medium

ETH will get stuck if all NFTs do not get sold.

medium

Unsafe downcasting operation truncate user's input

PoolTogether contest

PoolTogether contest

181.73 USDC • Code4rena • gzeon

#11

Maverick contest

Maverick contest

5,995.91 USDC • 1 total finding • Code4rena • gzeon

silver

medium

Trader can manipulate price because bin only moved after swap

Nov '22

ParaSpace contest

ParaSpace contest

1,671.95 USDC • 4 total findings • Code4rena • gzeon

#16

high

NFTFloorOracle's asset and feeder structures can be corrupted

medium

Value can be stuck in Adapters

medium

During oracle outages or feeder outages/disagreement, the `ParaSpaceFallbackOracle` is not used

medium

Centralization risk: admin can with rug the project by removing asset and price manipulation on oracle.

Canto contest

Canto contest

73.58 CANTO • 2 total findings • Code4rena • gzeon

#10

high

`lending-market/NoteInterest.sol` Wrong implementation of `getBorrowRate()`

medium

Incorrect amount taken

Redacted Cartel contest

Redacted Cartel contest

2,093.64 USDC • 6 total findings • Code4rena • gzeon

#10

medium

transferBribes could transfer before proposal deadline + Input validation

medium

Admin Privilege - Owner can rug via `ThecosomataETH.withdraw`

medium

SafeERC20.sol is imported but not used in the transferBribes() function

medium

[WP-H0] `DEFAULT_ADMIN_ROLE` of `BribeVault` can steal tokens from users' wallets

medium

SWAP_ROUTER in AutoPxGmx.sol is hardcoded and not compatible on Avalanche

medium

Assets may be lost when calling unprotected `AutoPxGlp::compound` function

Aug '22

Fraxlend (Frax Finance) contest

Fraxlend (Frax Finance) contest

67 USDC • Code4rena • gzeon

#56

Jun '22

Badger-Vested-Aura contest

Badger-Vested-Aura contest

80.58 USDC • Code4rena • gzeon

#32

Canto contest

Canto contest

2,165.3 USDC • 2 total findings • Code4rena • gzeon

#13

high

`lending-market/NoteInterest.sol` Wrong implementation of `getBorrowRate()`

medium

Incorrect amount taken

May '22

Backd Tokenomics contest

Backd Tokenomics contest

171.81 USDC • Code4rena • gzeon

#26

veToken Finance contest

veToken Finance contest

614.42 USDT • 2 total findings • Code4rena • gzeon

#26

medium

`VE3DRewardPool` and `VE3DLocker` adds to an unbounded array which may potentially lock all rewards in the contract

medium

`VE3DLocker.sol` Wrong implementation of inversely traverse for loops always reverts

Velodrome Finance contest

Velodrome Finance contest

189.42 USDC • Code4rena • gzeon

#30

Rubicon contest

Rubicon contest

128.67 USDC • 3 total findings • Code4rena • gzeon

#47

medium

RubiconRouter: Excess ether did not return to the user

medium

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

medium

Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter

OpenSea Seaport contest

OpenSea Seaport contest

454.28 USDC • Code4rena • gzeon

#40

Cally contest

Cally contest

47.42 USDC • 1 total finding • Code4rena • gzeon

#70

medium

Owner can set the feeRate to be greater than 100% and cause all future calls to `exercise` to revert

FactoryDAO contest

FactoryDAO contest

594.45 DAI • 3 total findings • Code4rena • gzeon

#14

high

SpeedBumpPriceGate: Excess ether did not return to the user

medium

MerkleResistor: zero coinsPerSecond will brick tranche initialization and withdrawals

medium

safeTransferFrom is recommended instead of transfer (1)

Cudos contest

Cudos contest

204.33 USDC • Code4rena • gzeon

#27

Forgotten Runes Warrior Guild contest

Forgotten Runes Warrior Guild contest

1,795.38 USDC • 4 total findings • Code4rena • gzeon

#4

medium

Contract may not have enough fund to cover refund

medium

Use of `.send()` May Revert if The Recipient's Fallback Function Consumes More Than 2300 Gas

medium

Many unbounded and under-constrained variables in the system can lead to unfair price or DoS

medium

Critical variables shouldn't be changed after they are set

Apr '22

PoolTogether Aave v3 contest

PoolTogether Aave v3 contest

677.69 USDC • 1 total finding • Code4rena • gzeon

#8

high

[WP-H1] A malicious early user/attacker can manipulate the vault's pricePerShare to take an unfair share of future users' deposits

AbraNFT contest

AbraNFT contest

8,053.09 MIM • 4 total findings • Code4rena • gzeon

gold

high

Avoidance of Liquidation Via Malicious Oracle

high

Critical Oracle Manipulation Risk by Lender

high

Lender is able to seize the collateral by changing the loan parameters

high

Mistake while checking LTV to lender accepted LTV

xTRIBE contest

xTRIBE contest

9,605.24 USDC • 1 total finding • Code4rena • gzeon

silver

medium

Incorrect accounting of free weight in `_decrementWeightUntilFree`

Phuture Finance contest

Phuture Finance contest

107.39 USDC • Code4rena • gzeon

#18

Badger Citadel contest

Badger Citadel contest

789.58 USDC • 3 total findings • Code4rena • gzeon

#19

medium

Owner can steal input tokens

medium

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

medium

New vest reset `unlockBegin` of existing vest without removing vested amount

Mar '22

Paladin contest

Paladin contest

734.97 USDC • 1 total finding • Code4rena • gzeon

#13

medium

Users at UNSTAKE_PERIOD can assist other users in unstaking tokens.

Sublime contest

Sublime contest

124.06 USDC • Code4rena • gzeon

#13

Rolla contest

Rolla contest

325.41 USDC • Code4rena • gzeon

#13

Maple Finance contest

Maple Finance contest

603 USDC • Code4rena • gzeon

#7

Biconomy Hyphen 2.0 contest

Biconomy Hyphen 2.0 contest

2,164.78 USDT • 3 total findings • Code4rena • gzeon

#7

medium

`LiquidityProviders`: Setting new LP token will break contract

medium

`LiquidityProviders`: Setting new liquidity pool will break contract

medium

Improper Upper Bound Definition on the Fee

Timeswap contest

Timeswap contest

607.7 USDC • Code4rena • gzeon

#7

Feb '22

Anchor contest

Anchor contest

1,766.75 UST • Code4rena • gzeon

#10

Foundation contest

Foundation contest

2,827.34 USDC • 1 total finding • Code4rena • gzeon

#7

medium

Upgradable escrow contract

JPYC contest

JPYC contest

1,092.49 USDC • Code4rena • gzeon

#7

PoolTogether TWAB Delegator contest

PoolTogether TWAB Delegator contest

297.06 USDC • Code4rena • gzeon

#7

SKALE contest

SKALE contest

3,245.99 USDC • 2 total findings • Code4rena • gzeon

#10

medium

Not compatible with Rebasing/Deflationary/Inflationary tokens

medium

Schain owners can rug pull users' funds

Hubble contest

Hubble contest

3,370.82 USDC • 2 total findings • Code4rena • gzeon

#9

medium

Ownership of Swap.vy cannot be transferred

medium

`settleFunding` will exceed block gas with more markets and activity

Tribe Turbo contest

Tribe Turbo contest

10,027.56 USDC • 2 total findings • Code4rena • gzeon

bronze

medium

Slurp can be frontrun with fee increase

medium

Gibber can take any amount from safes

Ooki contest

Ooki contest

6,197.62 USDC • Code4rena • gzeon

silver
Redacted Cartel contest

Redacted Cartel contest

1,446.69 USDC • 6 total findings • Code4rena • gzeon

#8

medium

transferBribes could transfer before proposal deadline + Input validation

medium

Admin Privilege - Owner can rug via `ThecosomataETH.withdraw`

medium

SafeERC20.sol is imported but not used in the transferBribes() function

medium

[WP-H0] `DEFAULT_ADMIN_ROLE` of `BribeVault` can steal tokens from users' wallets

medium

SWAP_ROUTER in AutoPxGmx.sol is hardcoded and not compatible on Avalanche

medium

Assets may be lost when calling unprotected `AutoPxGlp::compound` function

Aave Lens contest

Aave Lens contest

2,451.78 USDC • 1 total finding • Code4rena • gzeon

#9

medium

Cashback on referral

Nested Finance contest

Nested Finance contest

201.57 USDC • Code4rena • gzeon

#12

Badger Citadel contest

Badger Citadel contest

1,796.93 USDC • 3 total findings • Code4rena • gzeon

#6

medium

Owner can steal input tokens

medium

Seven ways in which the Owner and Proxy Admin can make users lose funds ("rug vectors")

medium

New vest reset `unlockBegin` of existing vest without removing vested amount

Concur Finance contest

Concur Finance contest

2,886.19 USDC • 5 total findings • Code4rena • gzeon

#7

high

Repeated Calls to Shelter.withdraw Can Drain All Funds in Shelter

high

USDMPegRecovery Risk of fund locked, due to discrepancy between curveLP token value against internal contract math

medium

USDM locked unless guardian remove liquidity

medium

[WP-H2] `ConvexStakingWrapper#deposit()` depositors may lose their funds when the `_amount` is huge

medium

Deactivate function can be bypassed

Jan '22

Notional contest

Notional contest

2,124.82 USDC • 1 total finding • Code4rena • gzeon

#5

medium

MAX_SHORTFALL_WITHDRAW limit on BTP extraction is not enforced

OpenLeverage contest

OpenLeverage contest

5,901.25 USDT • 1 total finding • Code4rena • gzeon

bronze

medium

anti-flashloan mechanism may lead to protocol default

Behodler contest

Behodler contest

76.23 USDC • Code4rena • gzeon

#24

Trader Joe contest

Trader Joe contest

155.14 USDT • Code4rena • gzeon

#26

Sherlock contest

Sherlock contest

203.66 USDC • Code4rena • gzeon

#20

ElasticSwap contest

ElasticSwap contest

1,779.97 USDC • Code4rena • gzeon

silver
Livepeer contest

Livepeer contest

11,308.96 tokens) • 4 total findings • Code4rena • gzeon

silver

high

[WP-H5] `L1Migrator.sol#migrateETH()` dose not send `bridgeMinter`'s ETH to L2 causing ETH get frozen in the contract

medium

[WP-H3] `L1Migrator.sol#migrateETH()` Improper implementation of `L1Migrator` causing `migrateETH()` always reverts, can lead to ETH in `BridgeMinter` getting stuck in the contract

medium

Fund loss when insufficient call value to cover fee

medium

L1Migrator.migrateLPT` can be used to take away protocol's access to LPT tokens in BridgeMinter

InsureDAO contest

InsureDAO contest

1,159.94 tokens) • 1 total finding • Code4rena • gzeon

#14

medium

`requestWithdraw` without obligation to withdraw allow underwriter to avoid payout

Sandclock contest

Sandclock contest

590.5 USDC • Code4rena • gzeon

#18

Timeswap contest

Timeswap contest

54.1 USDC • Code4rena • gzeon

#22

Dec '21

Vader Protocol contest

Vader Protocol contest

599.62 USDC • 3 total findings • Code4rena • gzeon

#7

high

Attacker can claim more IL by manipulating pool price then `removeLiquidity`

high

Governance veto can be bypassed

medium

Adding pair of the same `foreignAsset` would replace oracle of earlier entry

Yeti Finance contest

Yeti Finance contest

1,245.19 USDC • Code4rena • gzeon

#16

NFTX contest

NFTX contest

2,532.27 USDC • 1 total finding • Code4rena • gzeon

#8

medium

Bypass zap timelock

Amun contest

Amun contest

655.59 USDC • 1 total finding • Code4rena • gzeon

#18

medium

`totalSupply` may exceed `LibBasketStorage.basketStorage().maxCap`

Sublime contest

Sublime contest

83.5 USDC • Code4rena • gzeon

#17

PoolTogether TwabRewards contest

PoolTogether TwabRewards contest

524.91 USDC • 3 total findings • Code4rena • gzeon

#15

high

Malicious tickets can lead to the loss of all tokens

high

cancelPromotion is too rigorous

high

Rewards can be claimed multiple times

Perennial contest

Perennial contest

53.24 USDC • Code4rena • gzeon

#10

Kuiper contest

Kuiper contest

2,019.02 ETH • 2 total findings • Code4rena • gzeon

#5

medium

Fee calculation is slightly off

medium

Missing cap on LicenseFee

Mellow Protocol contest

Mellow Protocol contest

3,426.2 USDC • 2 total findings • Code4rena • gzeon

bronze

medium

Admin can break `_numberOfValidTokens`

medium

Withdraw from `AaveVault` will receive less than actual share

Maple Finance contest

Maple Finance contest

4,786.01 USDC • Code4rena • gzeon

bronze

Nov '21

Streaming Protocol contest

Streaming Protocol contest

2,539.33 USDC • 3 total findings • Code4rena • gzeon

#14

high

Possible incentive theft through the arbitraryCall() function

high

Tokens can be stolen when `depositToken == rewardToken`

high

Wrong calculation of excess depositToken allows stream creator to retrieve `depositTokenFlashloanFeeAmount`, which may cause fund loss to users

Fei Protocol contest

Fei Protocol contest

957.1 USDC • Code4rena • gzeon

#8

Malt Finance contest

Malt Finance contest

7,451.02 USDC • 5 total findings • Code4rena • gzeon

silver

high

Timelock can be bypassed

high

Unable to remove liquidity in Recovery Mode

medium

`UniswapHandler.maltMarketPrice` returns wrong decimals

medium

User can bypass Recovery Mode via UniswapHandler to buy Malt

medium

Dutch auction can be manipulated

Unlock Protocol contest

Unlock Protocol contest

53.64 USDC • Code4rena • gzeon

#21

Overlay Protocol contest

Overlay Protocol contest

273.1 ETH • 1 total finding • Code4rena • gzeon

#15

medium

Improper Upper Bound Definition on the Fee

yAxis contest

yAxis contest

199.05 USDC • Code4rena • gzeon

#11

BadgerDAO Zaps contest

BadgerDAO Zaps contest

6,483.34 USDC • 4 total findings • Code4rena • gzeon

silver

high

`setGuardian()` Wrong implementation

medium

Improper implementation of slippage check

medium

No slippage control on `deposit` of IbbtcVaultZap.sol

medium

`calcMint` always return poolId=0 and idx=0

Nested Finance contest

Nested Finance contest

597.05 USDC • Code4rena • gzeon

#15

Vader Protocol contest

Vader Protocol contest

3,549.86 USDC • 3 total findings • Code4rena • gzeon

#6

high

Attacker can claim more IL by manipulating pool price then `removeLiquidity`

high

Governance veto can be bypassed

medium

Adding pair of the same `foreignAsset` would replace oracle of earlier entry

FairSide contest

FairSide contest

734.4 ETH • Code4rena • gzeon

#7

Boot Finance contest

Boot Finance contest

1,311.11 USDC • 1 total finding • Code4rena • gzeon

#9

high

Swaps are not split when trade crosses target price

Oct '21

BadgerDAO ibBTC Wrapper contest

BadgerDAO ibBTC Wrapper contest

4,532.53 ETH • 3 total findings • Code4rena • gzeon

bronze

high

Approved spender can spend too many tokens

high

The design of `wibBTC` is not fully compatible with the current Curve StableSwap pool

medium

Unable to transfer WrappedIbbtc if Oracle go down

Mochi contest

Mochi contest

6,788.49 ETH • 4 total findings • Code4rena • gzeon

#6

high

Referrer can drain ReferralFeePoolV0

medium

liquidation factor < collateral factor for Sigma type

medium

borrow function will borrow max cf when trying to borrow > cf

medium

Unchecked ERC20 transfer calls