https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/4dfc2be6-d333-42a2-87cd-836c74d93e43.jpg

ihtishamsudo

Security Researcher

Smart Contract Security Researcher | Solidity | Rust

Contact Me

High

Total

Medium

Total

$20.73K

Total Earnings

#353 All Time

45x

Payouts

1x

3rd Places

10x

Top 10

25x

Top 25

All

Sherlock

Code4rena

CodeHawks

Immunefi

Mar '25

Crestal Network

0.01 USDC • 1 total finding • Sherlock • ihtishamsudo

#12

high

Unauthorized Token Transfers in payWithERC20 Function

PinLink: RWA-Tokenized DePIN Marketplace

64.85 USDC • Sherlock • DevABDee

#21

Symmio, Staking and Vesting

0.00 USDC • 1 total finding • Sherlock • ihtishamsudo

#18

medium

Malicious actors will indefinitely extend reward periods affecting all stakers

Feb '25

MetaLend Ronin Lending Protocol

Collaborative Audit • Sherlock • thekmj

Jan '25

Aave v3.3

566.26 USDC • Sherlock • DevABDee

#42

Aave v3.3

439.92 USDC • Sherlock • thekmj

#50

Allora v0.8.0 Update

7,982.97 USDC • Sherlock • thekmj

Findings not publicly available for private contests.

Oct '24

Audit Comp | Anvil

139 USDT • 1 total finding • Immunefi • ihtishamsudo

#13

low

Finding not yet public.

Avantis v1.5: Cross-Asset Leverage

699.35 OP • Sherlock • thekmj

#12

Findings not publicly available for private contests.

Sep '24

Boost Core Incentive Protocol

9.11 USDC • 1 total finding • Sherlock • ihtishamsudo

#23

medium

Boost Protocol doesn't support Fee-on-Transfer Tokens

Aug '24

Winnables Raffles

1.80 USDC • 1 total finding • Sherlock • ihtishamsudo

#37

high

Unupdated _lockedETH in refundPlayers Function Leads to Potential Fund Locking

Jul '24

Munchables

0.39 USDC • 1 total finding • Code4rena • ihtishamsudo

#48

high

Single plot can be occupied by multiple renters

MakerDAO Endgame

945.36 USDC • Sherlock • DevABDee

#61

MakerDAO Endgame

657.58 USDC • Sherlock • thekmj

#67

Mar '24

vVv Vesting & Staking

57.57 USDC • Sherlock • thekmj

#21

Acala

3,012.88 USDC • 1 total finding • Code4rena • ihtishamsudo

high

`transfer_share_and_rewards` allows for self transfer

Phat Contract Runtime

391.62 USDC • Code4rena • ihtishamsudo

Feb '24

UniStaker Infrastructure

22.02 USDC • Code4rena • ihtishamsudo

Audit Comp | Puffer Finance

320 USDC • 2 total findings • Immunefi • ihtishamsudo

#27

low

Finding not yet public.

low

Finding not yet public.

HydraDX

22.99 USDC • Code4rena • ihtishamsudo

#18

Jan '24

Decent

23.41 USDC • Code4rena • ihtishamsudo

#48

Dec '23

stake.link

10.28 USDC • 1 total finding • CodeHawks • ihtishamsudo

#32

low

SINGLE STEP OWNERSHIP TRANSFER PROCESS

Footium Update

88.52 USDC • Sherlock • thekmj

#16

Revolution Protocol

237.05 USDC • Code4rena • ihtishamsudo

#27

Oct '23

NextGen

27.69 USDC • Code4rena • ihtishamsudo

#75

ENS

85.67 USDC • Code4rena • ihtishamsudo

#12

Sep '23

Maia DAO - Ulysses

58.62 USDC • 1 total finding • Code4rena • ihtishamsudo

#45

medium

Message channels can be blocked resulting in DoS

Allo V2

0.09 USDC • 1 total finding • Sherlock • DevABDee

#74

medium

Insufficient support for Fee-on-Transfer Tokens which will result in computation inconsistencies.

Aug '23

Cooler Update

397.03 USDC • 1 total finding • Sherlock • thekmj

medium

`emergency_shutdown` role is not enough for emergency shutdown.

Shell Protocol

247.5 USDC • Code4rena • ihtishamsudo

#12

Tangible Caviar

47.49 USDC • Code4rena • ihtishamsudo

#61

Jul '23

CodeHawks Escrow Contract - Competition Details

2.47 USDC • 1 total finding • CodeHawks • ihtishamsudo

#94

gas

Use nested `if` statements instead of logical AND (`&&`)

Lens Protocol V2

31.38 USDC • Code4rena • ihtishamsudo

Beam

315.19 USDC • Sherlock • DevABDee

Beam

78.49 USDC • Sherlock • thekmj

#24

Nouns DAO

277.78 USDC • Code4rena • ihtishamsudo

#12

Jun '23

Unitas Protocol

1,414.45 USDC • 1 total finding • Sherlock • DevABDee

high

`XOracle.putPrice()` Can Fall Victim to Front-running Attacks: Attackers Can Make Quick Profits, while Users Can Avoid Loss and even Turn the Potential Loss into Profits.

Unitas Protocol

81.25 USDC • 1 total finding • Sherlock • thekmj

#18

medium

Protocol does not check for price staleness from the XOracle, which is problematic if the price feeder goes down.

May '23

Maia DAO Ecosystem

442.4 USDC • 1 total finding • Code4rena • ihtishamsudo

#46

medium

Protocol fees can become trapped indefinitely inside Talos vault contracts

Iron Bank

117.53 USDC • 2 total findings • Sherlock • thekmj

medium

PriceOracle will use the wrong price if the Chainlink registry returns price outside min/max range

medium

Chainlink oracle may return stale data

USSD - Autonomous Secure Dollar

0.00 USDC • 3 total findings • Sherlock • DevABDee

#90

high

StableOracleWBTC uses the wrong address for the WBTC/USD oracle

high

`mintRebalancer()` & `burnRebalancer()` are `onlyBalancer` modifier. An Attacker can manipulate USSD's `totalSupply()`

medium

Improper validation of the Chainlink Oracle priceFeed function can result in zero or stale prices.

Footium

0.00 USDC • 1 total finding • Sherlock • DevABDee

#35

medium

ERC20 return values not checked

Footium

0.01 USDC • 1 total finding • Sherlock • thekmj

#32

medium

Unsafe ERC20 transfer: tokens that don't revert on failed transfers may disable claims

Apr '23

EigenLayer Contest

161.62 USDC • Code4rena • ihtishamsudo

#23

Jan '23

Cooler

48.03 USDC • 2 total findings • Sherlock • thekmj

#27

high

Rollable loans can be indefinitely rolled, opening up room for a griefing attack that will permanently lock funds.

high

Unsafe ERC20 usage: If one of the token is a non-revert on transfer, the other token can be stolen.

Notional Update

1,204.75 USDC • 1 total finding • Sherlock • thekmj

high

`getEmergencySettlementBPTAmount()`: Wrong usage of `IERC20.totalSupply()` on BPT tokens