https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/1db3a2e1-ebf7-48f3-bbdf-4ac0f481984b.jpg

josephdara

Security Researcher

BlockChain Security Researcher • Auditoooor @code4rena @immunefi• Stern Ritter Y • Dm for Private Audits

Contact Me

High

20

Total

Medium

39

Total

$16.10K

Total Earnings

#408 All Time

32x

Payouts

regular

4x

Top 10

regular

15x

Top 25

regular

26x

Top 50

All

Sherlock

Code4rena

Cantina

May '24

Predy

Predy

20.13 USDC • 2 total findings • Code4rena • josephdara

#28

medium

incorrect price for negative ticks due to lack of rounding down

medium

Chainlink's `latestRoundData` might return stale or incorrect results

Arbitrum BoLD

Arbitrum BoLD

5,993.97 USDC • 1 total finding • Code4rena • josephdara

#9

medium

`BOLDUpgradeAction.sol` will fail to upgrade contracts due to error in the `perform` function

Apr '24

Renzo

Renzo

3.15 USDC • 4 total findings • Code4rena • josephdara

#49

high

Incorrect withdraw queue balance in TVL calculation

high

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

medium

Deposits will always revert if the amount being deposited is less than the bufferToFill value

medium

Withdrawals and Claims are meant to be pausable, but it is not possible in practice

NOYA

NOYA

125.51 USDC + NOYA stars • 3 total findings • Code4rena • josephdara

#48

high

`Registry.sol#updateHoldingPosition` remove position logic is incorrect: should use `ownerConnector` instead of `calculatorConnector` when calculating holdingPositionId.

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

medium

Incorrect modifier condition

DYAD

DYAD

7.65 USDC • 3 total findings • Code4rena • josephdara

#97

high

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

medium

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

Mar '24

Taiko

Taiko

1,099.42 USDC • 2 total findings • Code4rena • josephdara

#17

medium

Bridge watcher can forge arbitrary message and drain bridge

medium

retryMessage unable to handle edge cases.

Feb '24

curvance

curvance

1,396.87 USDC • 1 total finding • Cantina • josephdara

#27

medium

Finding not yet public.

Wise Lending

Wise Lending

249.82 USDC • 1 total finding • Code4rena • josephdara

#24

medium

Unchecked return value bug on `TransferHelper::_safeTransferFrom()`

AI Arena

AI Arena

268.27 USDC • 4 total findings • Code4rena • josephdara

#18

high

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

medium

Minter / Staker / Spender roles can never be revoked`..,

medium

Burner role can not be revoked

medium

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Jan '24

Salty.IO

Salty.IO

90.94 USDC • 2 total findings • Code4rena • josephdara

#71

medium

Impossible to change managed wallets with `proposeWallets` after first rejection

medium

Creation of token whitelisting proposals can be DOS'd

Oct '23

Ethena Labs

Ethena Labs

1,587.06 USDC • 2 total findings • Code4rena • josephdara

#5

medium

users still forced to follow previously set cooldownDuration even when cooldown is off (set to zero) before unstaking

medium

``FULL_RESTRICTED`` Stakers can bypass restriction through approvals

Open Dollar

Open Dollar

139.35 USDC • 2 total findings • Code4rena • josephdara

#31

medium

Unable to retrieve price information with CamelotRelayer contract

medium

Approved address can approve other addresses for an owner's safe

The Wildcat Protocol

The Wildcat Protocol

664.37 USDC • 3 total findings • Code4rena • josephdara

#9

high

Borrower has no way to update `maxTotalSupply` of `market` or close market.

medium

Function WildcatMarketController.setAnnualInterestBips allows for values outside the factory range

medium

Removing markets from `WildcatArchController` gives lenders immunity from sanctions

Sep '23

Venus Prime

Venus Prime

62.21 USDC • Code4rena • josephdara

#31

Maia DAO - Ulysses

Maia DAO - Ulysses

25.79 USDC • 1 total finding • Code4rena • josephdara

#54

high

All tokens can be stolen from `VirtualAccount` due to missing access modifier

Centrifuge

Centrifuge

704.11 USDC • 3 total findings • Code4rena • josephdara

#19

medium

Cached `DOMAIN_SEPARATOR` is incorrect for tranche tokens potentially breaking permit integrations

medium

```trancheTokenAmount``` should be rounded UP when proceeding to a withdrawal or previewing a withdrawal.

medium

The Restriction Manager does not completely implement ERC1404 which leads to account that are supposed to be restricted actually have access to do with their tokens as they see fit

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

41.45 USDC • Code4rena • josephdara

#57

Dopex

Dopex

301.2 USDC • 3 total findings • Code4rena • josephdara

#48

high

Incorrect precision assumed from RdpxPriceOracle creates multiple issues related to value inflation/deflation

high

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

high

`UniV3LiquidityAMO::recoverERC721` will cause `ERC721` tokens to be permanently locked in `rdpxV2Core`

PoolTogether V5: Part Deux

PoolTogether V5: Part Deux

89.63 USDC • 1 total finding • Code4rena • josephdara

#24

high

`rngComplete` function should only be called by `rngAuctionRelayer`

Tangible Caviar

Tangible Caviar

0 USDC • Code4rena • josephdara

#88

Good Entry

Good Entry

1,143.55 USDC • 2 total findings • Code4rena • josephdara

#8

medium

V3 Proxy does not send funds to the recipient, instead it sends to the msg.sender

medium

Return value of low level `call` not checked.

Jul '23

Moonwell

Moonwell

44.88 USDC • Code4rena • josephdara

#36

Amphora Protocol

Amphora Protocol

65.94 USDC • 1 total finding • Code4rena • josephdara

#20

high

Rounding error in `WUSDA` can result in loss of user funds, especially when manipulated by an attacker

PoolTogether

PoolTogether

571.32 USDC • 2 total findings • Code4rena • josephdara

#29

high

`Vault.mintYieldFee` FUNCTION CAN BE CALLED BY ANYONE TO MINT `Vault Shares` TO ANY RECIPIENT ADDRESS

medium

High Prizes might not be claimed

Basin

Basin

25.41 USDC • Code4rena • josephdara

#25

Jun '23

Lybra Finance

Lybra Finance

433.74 USDC • 5 total findings • Code4rena • josephdara

#25

high

Governance wrongly calculates `_quorumReached()`

high

`_voteSucceeded()` returns true when `againstVotes > forVotes` and vice versa

high

Incorrectly implemented modifiers in LybraConfigurator.sol allow any address to call functions that are supposed to be restricted

medium

Due to inappropriately short `votingPeriod` and `votingDelay`, it is near impossible for the governance to function correctly.

medium

The relation between the safe collateral ratio and the bad collateral ratio for the PeUSD vaults is not enforced correctly

RealWagmi

RealWagmi

22.56 USDC • 2 total findings • Sherlock • josephdara

#23

high

Hardcoded fee in Multipool Leading to Rebalance Failure

medium

Wrong Validation for tickSpacing and range

Symmetrical

Symmetrical

214.66 USDC • 3 total findings • Sherlock • josephdara

#26

high

Wrong accounting leads to excess balance for partyB users depositing with the ```depositAndAllocateForPartyB()```

medium

Suspended users can deposit can deposit and allocate their balances

medium

DOS for accounts if liquidation expires.

Stader Labs

Stader Labs

704.54 USDC • 2 total findings • Code4rena • josephdara

#21

medium

Owner in VaultProxy.sol is address(0)

medium

`pause/unpause` functionnalities not implemented in many pausable contracts

May '23

Iron Bank

Iron Bank

0.03 USDC • 2 total findings • Sherlock • josephdara

#23

medium

Stale Price from Oracle

medium

L2 sequencer Downtime

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

0.00 USDC • 1 total finding • Sherlock • josephdara

#107

medium

Oracles getPriceUSD returna stale or incorrect result

Footium

Footium

0.00 USDC • 1 total finding • Sherlock • josephdara

#35

medium

safeERC20 instead of IERC20