https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/1c445d7e-b7a6-421e-869b-007d5d550c8f.jpg

h2134

Security Researcher

Contact Me

High

35

Total

Medium

4

Solo

31

Total

$25.17K

Total Earnings

#307 All Time

20x

Payouts

gold

1x

1st Places

silver

2x

2nd Places

bronze

5x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Mar '25

badger-ebtc-bsm

badger-ebtc-bsm

958.86 USDC • 4 total findings • Cantina • h2134

#4

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Jan '25

Part 2

Part 2

1,915.65 usdc • 10 total findings • CodeHawks • h2134

#11

high

Incorrect Credit Capacity Validation in `VaultRouterBranch.redeem` Enables Locked Collateral Drainage

high

Vaults weth reward is not distributed correctly

high

Unclaimed Rewards Loss Due to Missing Validation in `VaultRouterBranch.stake()`

high

Markets and vaults will not update their state until market fee is received, any deposits before market fee will not be reflected

high

Incorrect calculation in CreditDelegationBranch::withdrawUsdTokenFromMarket allows attacker mint any amount of usdz

medium

Fee Recipient Shares Cannot Be Decreased When Total Fee recipients’s share is at Max Limit

medium

Due to not updating the Debt , the protocol will apply untended premium or discount

medium

Refund Underflow in Swap Refund Logic Leading to Locked Funds

medium

Slippage Higher than Expected in `CurveAdapter.executeSwapExactInput()` and `FeeDistributionBranch._performMultiDexSwap()` Multi-Hop Swaps

medium

Vault credit capacity may not be correctly calculated

Ignite

Ignite

849.18 usdc • CodeHawks • h2134

#6

Nov '24

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

979.91 USDC • Sherlock • h2134

#5

Chiliz Chain System Contracts

Chiliz Chain System Contracts

515.82 USDC • Sherlock • h2134

#10

Findings not publicly available for private contests.

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • h2134

gold

high

Attacker can front-run to claim tokens

Project

Project

958.93 USDC • 3 total findings • CodeHawks • h2134

silver

high

MembershipERC1155 proxy cannot be upgraded

medium

Reorg Vulnerability in DAO Membership Creation Allows Users to Join Incorrect DAOs

low

Missing Signature Expiry Enables Perpetual Transaction Validity.

Oct '24

Mento x Good$ Integration

Mento x Good$ Integration

750 USDC • Sherlock • h2134

bronze
stakeup-bloomv2

stakeup-bloomv2

362.76 USDC • 5 total findings • Cantina • h2134

#29

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

predict.fun lending market

predict.fun lending market

421.53 USDC • 1 total finding • Sherlock • h2134

#5

medium

Protocol does not strictly comply with EIP-712

Sep '24

Flayer

Flayer

1,346.55 USDC • 15 total findings • Sherlock • h2134

#9

high

No check if a listing is a liquidation when process tax refund in relisting

high

_isLiquidation status is not reset when a liquidation listing is relisted/reserved

high

Listing created time is not updated when relisting

high

Listing info is not deleted when a listing is reserved

high

Incorrect checkpoint index might be returned when snapshots the current checkpoint

high

Unlocked protected listing asset can be redeemed by any other user

high

Type uint88 may not be suitable for storing quorum vote requirement

high

ERC1155 collection royalty fees cannot be claimed on L2

medium

ERC721 Airdrop item can be redeemed/swapped out by user who is not an authorised claimant

medium

User won't be refunded after initializing a collection

medium

Old beneficiary / AMM beneficiary won't be able to claim fees if the current beneficiary is a pool

medium

Fee Exemption cannot be applied or removed

medium

ethIn and tokenOut is not correctly computed in beforeSwap() when the swap is an exactIn

medium

Pool fee cannot be actually set

medium

royaltyBps may not be properly retrieved for ERC1155 collections

Aug '24

Rumpel Point Tokenization Protocol

Rumpel Point Tokenization Protocol

2,493.15 USDC • Sherlock • h2134

silver
Sentiment V2

Sentiment V2

1,161.50 USDC • 4 total findings • Sherlock • h2134

#9

medium

SuperPool reallocation may fail due to non-zero approval

medium

Super Pool shares can be inflated by bad debt leading to overflows

medium

None of the functions in SuperPool checks pause state

medium

SuperPool is NOT strictly ERC4626 compliant

Tadle

Tadle

379.39 USDC • 11 total findings • CodeHawks • h2134

#17

high

Incorrect set up and logic of `referralInfoMap` in `SystemConfig::updateReferrerInfo` function

high

TokenManager - Unlimited withdraw

high

Taker of bid offer will loss assets without any benefit if he calls the DeliveryPlace::settleAskMaker() for partial settlement.

high

Native token withdrawal fails until manually approved

high

`DeliveryPlace::settleAskTaker` Has Incorrect Access Control

high

Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode

high

The `DeliveryPlace::settleAskTaker()` function mistakenly uses `makerInfo.tokenAddress` to update the `TokenBalanceType.PointToken` in the `userTokenBalanceMap` mapping, leading to a critical error.

high

Fund Withdrawal Flaw in preMarket Allows Users to Avoid Settlement Obligations

medium

`mulDiv()` can round down to 0 in realistic cases, allowing for tax avoidance

low

[Low-01] Missing Access Control in `CapitalPool::approve()` Function Allows any User to call it to set Allowance Amount `TokenContract` to `type(uint256).max`.

low

`listOffer` Unsafely References Fungible Identifiers

Jul '24

Zaros Part 1

Zaros Part 1

3,866.32 USDC • 5 total findings • CodeHawks • h2134

#5

high

Inadequate Checking of `isIncreasing` when trader adjusts position size

high

Market Disruption and Financial Loss Post-Liquidation

medium

Incorrect liquidatable checking for market order creation

medium

User might be unfairly liquidated after L2 Sequencer grace period

low

Potential `EIP712` violation in multiple cases

Biconomy: Nexus

Biconomy: Nexus

1,328.78 USDC • 4 total findings • CodeHawks • h2134

bronze

high

User may lose funds when creating Nexus account or executing user operations

high

Registry is never called when setting up modules using the `Bootstrap` contract

medium

Protocol not fully compliant with `EIP-7579`

low

entryPoint() function cannot be overridden

Jun '24

Mellow Modular LRTs

Mellow Modular LRTs

4,556.32 USDC • 1 total finding • Sherlock • h2134

bronze

medium

User may not receive profit from withdrawal fee as expected and attacker can steal value from pool

Vultisig

Vultisig

767.18 USDC • 4 total findings • Code4rena • h2134

#6

high

Vultisig whitelisting can be bypassed by anyone

high

Most users won't be able to claim their share of Uniswap fees

medium

Vultisig should be burnable

medium

Transfer of ILOPool NFT token to different account allows for users to bypass the pool's `maxCapPerUser` invariant

May '24

Sophon Farming Contracts

Sophon Farming Contracts

1,329.90 USDC • 2 total findings • Sherlock • h2134

bronze

medium

Protocol won't be eligible for referral rewards for depositing ETH

medium

Incorrect accounting of reward points can be caused by owner changing the startBlock

Gamma - Locked Staking Contract

Gamma - Locked Staking Contract

133.81 USDC • 1 total finding • Sherlock • h2134

bronze

medium

Staker may receive much less staking token than expected when they exit early