Banner
https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/643cd484-e669-4e93-ab92-9d8b0560b302.jpeg

juaan

Security Researcher

Contact Me

High

1

Solo

15

Total

Medium

3

Solo

15

Total

$93.20K

Total Earnings

#98 All Time

11x

Payouts

gold

1x

1st Places

silver

3x

2nd Places

bronze

1x

3rd Places

All

Sherlock

Code4rena

Jun '25

Boop - DAMM V2 Migration

Boop - DAMM V2 Migration

Collaborative Audit • Sherlock • juan

Feb '25

Arrakis Safe Helpers

Arrakis Safe Helpers

Collaborative Audit • Sherlock • juaan

Jan '25

Aave v3.3

Aave v3.3

15,922.19 USDC • Sherlock • juaan

bronze
Aave v3.3

Aave v3.3

1,524.42 USDC • Sherlock • juan

#24

Dec '24

Numa

Numa

16,497.25 USDC • 5 total findings • Sherlock • juaan

silver

high

CNumaToken.leverageStrategy() can be re-entered, causing all the vault funds to be moved to a cToken, crashing NUMA price.

high

The cToken exchange rate can be inflated to steal from the first depositor

medium

OracleUtils.ethLeftSide() is not correct for some tokens, leading to incorrect nuAsset pricing

medium

CF minimum can be bypassed when minting nuAssets

medium

No RWAs have a chainlink feed in ETH, so RWAs cannot be minted as nuAssets

Nov '24

IVX

IVX

Collaborative Audit • Sherlock • juan

Jul '24

MakerDAO Endgame

MakerDAO Endgame

15,064.13 USDC • Sherlock • juaan

#7

MakerDAO Endgame

MakerDAO Endgame

3,098.23 USDC • Sherlock • juan

#32

May '24

Arrakis Valantis SOT Audit

Arrakis Valantis SOT Audit

33,195.26 USDC • 6 total findings • Sherlock • juaan

gold

high

When calling `setModule`, a malicious executor can use malicious payload to steal 100% of the pool's liquidity

high

Incorrect handling of first deposit for new modules leads to all liquidity sent to vault manager

high

The expected price bounds are not passed in to alm.depositLiquidity(), allowing a sandwich attack

high

Due to incorrect rounding, a malicious user can cause the router to ALWAYS revert on adding liquidity

high

Through rebalance(), an executor can drain 100% of vault reserves by minting cheap shares

high

A malicious executor can delete the fees belonging to the owner of `ArrakisStandardManager`

Apr '24

TITLES Publishing Protocol

TITLES Publishing Protocol

215.05 USDC • 6 total findings • Sherlock • juan

#18

high

Malicious users can exploit a flaw in `mintBatch()` to mint large amounts of tokens, with very little cost

medium

Roles within any `Edition` contract can never be granted/revoked

medium

Signature malleability- anyone can acknowledge or unacknowledge an edge from someone else's node

medium

A malicious user can DoS the `acknowledgeEdge` and `unacknowledgeEdge` function by front-running

medium

The excess funds sent to Edition will be lost, since `_refundExcess` has a logical flaw

medium

`Edition.mintBatch()` will always revert due to using `msg.value` in a loop

Mar '24

Goat Trading

Goat Trading

150.17 USDC • 1 total finding • Sherlock • juan

#7

medium

GoatV1Pair does not work when fee-on-transfer tokens are used, leading to DoS of contract

Revert Lend

Revert Lend

3,697.85 USDC • 5 total findings • Code4rena • 0xjuan

silver

high

V3Utils.execute() does not have caller validation, leading to stolen NFT positions from users

high

Owner of a position can prevent liquidation due to the 'onERC721Received' callback

medium

AutoRange execution can be front-ran to avoid protocol fee, causing loss for protocol

medium

Repayments and liquidations can be forced to revert by an attacker that repays miniscule amount of shares

medium

Incorrect liquidation fee calculation during underwater liquidation, disincentivizing liquidators to participate

Feb '24

Smilee Finance

Smilee Finance

2,188.04 USDC • 3 total findings • Sherlock • juan

silver

medium

Complete DoS of every DVP's minting and burning, due to insufficient access controls within FeeManager::trackVaultFee.

medium

The refunding feature in the PositionManager contract will always revert due to insufficient approval

medium

Whenever swapPrice > oraclePrice, minting via PositionManager will revert, due to not enough funds being obtained from user.

Jan '24

Flat Money

Flat Money

1,650.81 USDC • 4 total findings • Sherlock • juan

#7

high

A malicious user can bypass limit order trading fees via cross-function re-entrancy

high

During liquidation, global position data is updated with the wrong price

high

A user can bypass the locking of tokens in announced orders, by unlocking it in the LimitOrder contract

high

Incorrect underflow-prevention logic when updating `marginDepositedTotal` which can lead to underflow and brick the system

Nov '23

IVX

IVX

Collaborative Audit • Sherlock • juan