https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_0.png

ilchoovski

Security Researcher

Contact Me

High

18

Total

Medium

19

Total

$16.23K

Total Earnings

#397 All Time

11x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

regular

4x

Top 10

All

Sherlock

Code4rena

CodeHawks

Jan '25

Liquid Ron

Liquid Ron

3,583.08 USDC • 3 total findings • Code4rena • ilchovski

silver

high

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

medium

User can earn rewards by frontrunning the new rewards accumulation in Ron staking without actually delegating his tokens

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Jul '24

TraitForge

TraitForge

0.77 USDC • 6 total findings • Code4rena • ilchovski

#82

high

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

high

The maximum number of generations is infinite

high

Number of entities in generation can surpass the 10k number

high

Wrong minting logic based on total token count across generations

medium

There is no slippage check in the `nuke()` function.

medium

Pause and unpause functions are inaccessible

Zaros Part 1

Zaros Part 1

321.92 USDC • 10 total findings • CodeHawks • AuditTemple

#24

high

Market Disruption and Financial Loss Post-Liquidation

medium

Insufficient checks to confirm the correct status of the sequencerUptimeFeed

medium

A malicious User can DOS all offchain orders making them unexecutable and leaving the protocol in an insolvent state. Also all offchain Trades can also be DOSed for honest parties that do not meet the fillorder requirements (no try and catch)

medium

An Uninitialized Variable In The `MarketConfiguration::update` Function Causes The `PrepMarket::getIndexPrice` Function To Revert

medium

Incorrect liquidatable checking for market order creation

low

Functions calling `verifyReport` to verify offchain prices from chainlink will fail

low

Liquidation of accounts collateral not posible because some chainlink price feed doesn't exist or are marked as medium risk by chainlink

low

Attacker can abuse the system by modifying the collateral of pending orders

low

payable Modifier in TradingAccountBranch::createTradingAccountAndMulticall

low

UpgradeBranch.sol does not use _disableInitializers()

Jun '24

Size

Size

1,436.57 USDC • 4 total findings • Code4rena • ilchovski

#23

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

medium

Borrower is not able to compensate his lenders if he is underwater

medium

Size uses wrong source to query available liquidity on Aave, resulting in borrow and lend operations being bricked upon mainnet deployment

medium

Users can not to buy/sell minimum credit allowed due to exactAmountIn condition

Thorchain

Thorchain

7,111.05 USDC • 3 total findings • Code4rena • ilchovski

gold

high

ThorChain will be informed wrongly about the unsuccessful ETH transfers due to the incorrect events emissions

high

A malicious user can steal money out of the vault and other users

medium

Due to the use of `msg.value` in for loop, anyone can drain all the funds from the `THORChain_Router` contract

May '24

Munchables

Munchables

0.01 USDC • 1 total finding • Code4rena • ilchovski

#16

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Apr '24

Renzo

Renzo

2,061.33 USDC • 8 total findings • Code4rena • ilchovski

#9

high

Incorrect withdraw queue balance in TVL calculation

high

Withdrawals of rebasing tokens can lead to insolvency and unfair distribution of protocol reserves

high

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

high

ETH withdrawals from EigenLayer always fail due to `OperatorDelegator`'s nonReentrant `receive()`

medium

Lack of slippage and deadline during withdraw and deposit

medium

`calculateTVL` may run out of gas for modest number of operators and tokens breaking deposits, withdrawals, and trades

medium

Fixed hearbeat used for price validation is too stale for some tokens

medium

Withdrawals and Claims are meant to be pausable, but it is not possible in practice

Zivoe

Zivoe

365.31 USDC • 4 total findings • Sherlock • Maniacs

#31

high

All staked users will not receive rewards if they are with low token decimals

high

All staked users rewards can be slowed down by anybody

medium

Allowances block the protocol from adding liquidity to uniswap pools

medium

Attacker can skip the distribution of yield from OCL locker for the month

Mar '24

DittoETH

DittoETH

1,332.62 USDC • 2 total findings • Code4rena • ilchovski

#9

high

Valid redemption proposals can be disputed by decreasing collateral

medium

Using cached price to create a proposal reduce the efficacity of redemptions for asset peg

Jan '24

reNFT

reNFT

15.74 USDC • Code4rena • BI_security

#57

Oct '23

NextGen

NextGen

0.15 USDC • 1 total finding • Code4rena • ilchovski

#112

high

Attacker can reenter to mint all the collection supply