https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/c219e0c5-11c9-4c17-ac5f-971f524b0484.jpg

jovi

Security Researcher

🔎

Contact Me

High

25

Total

Medium

1

Solo

25

Total

$16.23K

Total Earnings

#403 All Time

23x

Payouts

silver

1x

2nd Places

regular

3x

Top 10

regular

11x

Top 25

All

Sherlock

Code4rena

Cantina

Jan '25

doppler-contracts

doppler-contracts

360.67 USDC • 1 total finding • Cantina • jovi

#11

high

Finding not yet public.

Sep '24

uniswap-v4

uniswap-v4

3,171.59 USDC • 1 total finding • Cantina • jovi

#30

medium

Finding not yet public.

Jul '24

LoopFi

LoopFi

44.19 USDC • 2 total findings • Code4rena • joaovwfreire

#44

medium

Incorrect calculation of `newCumulativeIndex` in function `calcDecrease`

medium

`PositionAction4626::increaseLever` will always revert

Munchables

Munchables

126.15 USDC • 6 total findings • Code4rena • joaovwfreire

#28

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

high

Invalid validation allows users to unlock early

high

Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot

high

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

medium

When `LockManager.lockOnBehalf` is called from `MigrationManager`, the user's `reminder` will be set to 0, resulting in fewer received `MunchableNFTs`

medium

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

Velocimeter

Velocimeter

652.30 USDC • 3 total findings • Sherlock • jovi

#13

high

disable_max_lock may allow users to remove locks of other users

high

ExerciseLP allows anyone to increase the lock of other users

medium

The MINIMUM_LIQUIDITY value at the Pair contract is not enough to defend against early inflation attacks

May '24

Munchables

Munchables

1,695.86 USDC • 6 total findings • Code4rena • joaovwfreire

silver

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

high

Invalid validation allows users to unlock early

high

Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot

high

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

medium

When `LockManager.lockOnBehalf` is called from `MigrationManager`, the user's `reminder` will be set to 0, resulting in fewer received `MunchableNFTs`

medium

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

PoolTogether: The Prize Layer for DeFi

PoolTogether: The Prize Layer for DeFi

803.47 USDC • 2 total findings • Sherlock • jovi

#12

medium

Claimable:claimPrize beforeClaimPrize hooks can be used to steal rewards from the reward recipient

medium

Claimer:claimPrizes does a naive feePerClaim calculation

Apr '24

NOYA

NOYA

928.78 USDC + NOYA stars • 8 total findings • Code4rena • joaovwfreire

#18

high

`SNXConnector.sol` TVL calculation is incorrect.

high

`AccountingManager::resetMiddle` will not behave as expected

high

`NoyaValueOracle.getValue` returns an incorrect price when a multi-token route is used

high

Numerous errors when calculating the TVL for the MorphoBlue connector

medium

PendleConnector.sol::supply doesn't pass a valid slippance protection min

medium

Improper price validation in CompoundConnector.sol will lead to stale prices being used.

medium

First depositor can make subsequent depositor lose all of her or his deposit

medium

MorphoBlueConnector:withdraw withdraws supplied tokens in a market order

Teller Finance

Teller Finance

870.60 USDC • 5 total findings • Sherlock • jovi

#7

high

burnSharesToWithdrawEarnings burns shares before calculating the principal token amount to withdraw

high

Unchecked principal token transfers may lead to false adding of principal to commitments and burning of shares without receiving assets back

high

lenderCloseLoanWithRecipient internal function does not send the collateral to the collateral recipient argument of the call

high

liquidateDefaultedLoanWithIncentive can be gamed to avoid paying loans interest

medium

Malicious borrower can pay each payment and make its own loan default 1 month later

Mar '24

Taiko

Taiko

6,413.92 USDC • 1 total finding • Code4rena • joaovwfreire

#7

medium

LibProposing:proposeBlock allows blocks with a zero parentMetaHash to be proposed after the genesis block and avoid parent block verification

Feb '24

Rio Network

Rio Network

5.57 USDC • 1 total finding • Sherlock • jovi

#31

high

RioLRTWithdrawalQueue:settleCurrentEpoch overrides assetsReceived

Jan '24

incentive-contracts

incentive-contracts

519.62 USDC • 4 total findings • Cantina • jovi

#22

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Dec '23

Olas

Olas

385.84 USDC • Code4rena • joaovwfreire

#12

Olympus RBS 2.0

Olympus RBS 2.0

32.55 USDC • 1 total finding • Sherlock • jovi

#17

medium

getReserves doesn't utilize the most accurate method to determine totalSupply for some Balancer pools

Nov '23

Kelp DAO | rsETH

Kelp DAO | rsETH

7.42 USDC • 1 total finding • Code4rena • joaovwfreire

#51

high

The price of rsEHT could be manipulated by the first staker

Oct '23

Party Protocol

Party Protocol

15.78 USDC • Code4rena • joaovwfreire

#32

The Wildcat Protocol

The Wildcat Protocol

154.33 USDC • 2 total findings • Code4rena • joaovwfreire

#40

medium

Function WildcatMarketController.setAnnualInterestBips allows for values outside the factory range

medium

`setAnnualInterestBips()` can be abused to keep a market's reserve ratio at 90%

Sep '23

Venus Prime

Venus Prime

4.37 USDC • Code4rena • joaovwfreire

#39

Maia DAO - Ulysses

Maia DAO - Ulysses

0.11 USDC • 1 total finding • Code4rena • joaovwfreire

#62

high

All tokens can be stolen from `VirtualAccount` due to missing access modifier

Allo V2

Allo V2

1.30 USDC • 2 total findings • Sherlock • jovi

#69

high

Repeated Vote Allocation Due to Missing Update of Allocator's Total Voice Credits in _qv_allocate Function.

medium

Flawed Allocation Logic Potentially Doubles Voice Credits to Recipients in QVBaseStrategy

Aug '23

Cooler Update

Cooler Update

0.70 USDC • 1 total finding • Sherlock • jovi

#20

medium

Lack of access control on the rollLoan function exposes borrowers to bad loan conditions

Dopex

Dopex

15.93 USDC • 1 total finding • Code4rena • joaovwfreire

#116

medium

Change of `fundingDuration` causes "time travel" of `PerpetualAtlanticVault.nextFundingPaymentTimestamp()`

Jul '23

PoolTogether

PoolTogether

15.92 USDC • 1 total finding • Code4rena • joaovwfreire

#66

high

Increasing reserves breaks PrizePool accounting