https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_1.png

ke1caM

Security Researcher

Contact Me

High

48

Total

Medium

31

Total

$8.30K

Total Earnings

#615 All Time

34x

Payouts

silver

1x

2nd Places

bronze

1x

3rd Places

regular

6x

Top 10

All

Sherlock

Code4rena

CodeHawks

Mar '25

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

220.78 USDC • Sherlock • ke1caM

#7

Jan '25

Ignite

Ignite

243.00 usdc • CodeHawks • ke1cam

#14

Dec '24

Alchemix Transmuter

Alchemix Transmuter

501.89 op • 1 total finding • CodeHawks • ke1cam

#13

medium

Incorrect Total Assets Calculation in _harvestAndReport Leading to Share Value Manipulation and Irredeemable Assets

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

2.85 USDC • 2 total findings • Sherlock • ke1caM

#31

high

Incorrect value used in `buyVotes` function prevents market graduation which leads to loss of funds.

medium

No slippage protection in `sellVotes` function can lead to loss of funds for the seller.

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

854.99 USDC • Sherlock • ke1caM

#6

Superfluid Locker System

Superfluid Locker System

121.22 USDC • 1 total finding • Sherlock • ke1caM

#4

high

Locker owner can't withdraw more than 20% of his token, even when he uses vesting with maximum time.

Oct '24

Usual V1

Usual V1

3,354.08 USDC • 1 total finding • Sherlock • ke1caM

silver

high

`_updateRewards` isn't called in `UsualSP::removeOriginalAllocation()` which leads to loss of funds for the user

Sep '24

Boost Core Incentive Protocol

Boost Core Incentive Protocol

1,645.02 USDC • 3 total findings • Sherlock • ke1caM

#6

high

Funds can be permanently stuck due to lack of implementation in BoostOwner contract

medium

Protocol can lose 100% of it's claim fee procentage

medium

User signature can be used to claim incentive without his permission leading to loss of funds for a user

Aug '24

Fjord Token Staking

Fjord Token Staking

0.19 USDC • 1 total finding • CodeHawks • ke1cam

#20

medium

`FjordAuction` incorrect `block.timestamp` check allows users to bid after calling `auctionEnd` to claim more tokens than they should

Winnables Raffles

Winnables Raffles

0.76 USDC • 1 total finding • Sherlock • ke1caM

#38

medium

Roles can't be removed from addressses

Tadle

Tadle

45.39 USDC • 3 total findings • CodeHawks • ke1cam

#68

high

Incorrect set up and logic of `referralInfoMap` in `SystemConfig::updateReferrerInfo` function

high

Native token withdrawal fails until manually approved

high

[H-4] The function `PreMarkets::listOffer` charges an incorrect collateral amount, allowing users to manipulating collateral rates and drain the protocol's funds

Jul '24

TraitForge

TraitForge

10.47 USDC • 9 total findings • Code4rena • ke1caM

#67

high

The maximum number of generations is infinite

high

Number of entities in generation can surpass the 10k number

high

Wrong minting logic based on total token count across generations

medium

There is no slippage check in the `nuke()` function.

medium

Forger Entities can forge more times than intended

medium

Pause and unpause functions are inaccessible

medium

NFTs mature too slowly under default settings.

medium

`Golden God` Tokens can be minted twice per generation

medium

TraitForgeNft: Generations without a golden god are possible

Munchables

Munchables

375.01 USDC • 4 total findings • Code4rena • ke1caM

#14

high

Invalid validation allows users to unlock early

high

Single plot can be occupied by multiple renters

high

Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot

medium

Users can farm on zero-tax land if the landlord locked tokens before the LandManager deployment

Zaros Part 1

Zaros Part 1

18.07 USDC • 3 total findings • CodeHawks • ke1cam

#79

high

Market Disruption and Financial Loss Post-Liquidation

low

Functions calling `verifyReport` to verify offchain prices from chainlink will fail

low

payable Modifier in TradingAccountBranch::createTradingAccountAndMulticall

Biconomy: Nexus

Biconomy: Nexus

134.97 USDC • 1 total finding • CodeHawks • ke1cam

#16

high

User may lose funds when creating Nexus account or executing user operations

TempleGold

TempleGold

28.85 USDC • 2 total findings • CodeHawks • ke1cam

#33

high

Incompatibility with Multisig Wallets in `TempleGold::send` Function

low

TempleGold tokens cannot be recovered when a `DaiGoldAuction` ends with 0 bids

Jun '24

Vultisig

Vultisig

10.42 USDC • 1 total finding • Code4rena • ke1caM

#30

medium

Transfer of ILOPool NFT token to different account allows for users to bypass the pool's `maxCapPerUser` invariant

May '24

Munchables

Munchables

0.01 USDC • 4 total findings • Code4rena • ke1caM

#16

high

Invalid validation allows users to unlock early

high

Single plot can be occupied by multiple renters

high

Failure to Update Dirty Flag in transferToUnoccupiedPlot Prevents Reward Accumulation On Valid Plot

medium

Users can farm on zero-tax land if the landlord locked tokens before the LandManager deployment

Apr '24

DYAD

DYAD

352.03 USDC • 9 total findings • Code4rena • ke1caM

#31

high

Attacker can make 0 value deposit() calls to deny user from redeeming or withdrawing collateral

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

high

Kerosene collateral is not being moved on liquidation, exposing liquidators to loss

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

high

Missing enough exogeneous collateral check in `VaultManagerV2::liquidate` makes the liquidation revert even if (DYAD Minted > Non Kerosene Value)

high

User can get their Kerosene stuck because of an invalid check on withdraw

high

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

medium

Incorrect deployment / missing contract will break functionality

medium

No incentive to liquidate when CR <= 1 as asset received < dyad burned

Mar '24

RadicalxChange

RadicalxChange

1.18 USDC • 1 total finding • Sherlock • ke1caM

bronze

high

User can cancel his bid and buy NFT only for feeAmount

Feb '24

AI Arena

AI Arena

71.06 USDC • 8 total findings • Code4rena • ke1caM

#69

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

Player can mint more fighter NFTs during claim of rewards by leveraging reentrancy on the `claimRewards() function `

high

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

medium

Can mint NFT with the desired attributes by reverting transaction

medium

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

medium

Fighter created by mintFromMergingPool can have arbitrary weight and element

Jan '24

Flat Money

Flat Money

80.91 USDC • 1 total finding • Sherlock • ke1caM

#17

high

User can unlock NFTs and withdraw collateral from a leveraged position that they do not own.

Decent

Decent

0.12 USDC • 1 total finding • Code4rena • ke1caM

#55

high

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

Curves

Curves

3.76 USDC • 7 total findings • Code4rena • ke1caM

#112

high

Whitelised accounts can be forcefully DoSed from buying curveTokens during the presale

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

medium

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

Dec '23

The Standard

The Standard

1.56 USDC • 5 total findings • CodeHawks • ke1cam

#82

high

Rewards can be drained because of lack of access control

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

medium

Missing deadline check allow pending transactions to be maliciously executed

medium

Fees are hardcoded to 3000 in ExactInputSingleParams

low

`costInEuros` calculation will incur precision loss due to division before multiplication

Revolution Protocol

Revolution Protocol

49.7 USDC • 2 total findings • Code4rena • ke1caM

#53

medium

CultureIndex.sol#dropTopVotedPiece() - Malicious user can manipulate topVotedPiece to DoS the whole CultureIndex and AuctionHouse

medium

It may be possible to DoS AuctionHouse by specifying malicious creators

Nov '23

Kelp DAO | rsETH

Kelp DAO | rsETH

7.42 USDC • 1 total finding • Code4rena • ke1caM

#51

high

The price of rsEHT could be manipulated by the first staker

Oct '23

NextGen

NextGen

3.39 USDC • 4 total findings • Code4rena • ke1caM

#100

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

high

Attacker can reenter to mint all the collection supply

high

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

medium

Auction winner can prevent payments via `safeTransferFrom` callback

The Wildcat Protocol

The Wildcat Protocol

10.23 USDC • 1 total finding • Code4rena • ke1caM

#66

high

Borrower has no way to update `maxTotalSupply` of `market` or close market.

Sep '23

DittoETH

DittoETH

76.00 USDC • 2 total findings • CodeHawks • ke1cam

#37

low

ETH cannot always be unstaked using Rocket Pool

low

Infinite loop breaks protocol functionality.

Aug '23

Dopex

Dopex

0.01 USDC • 1 total finding • Code4rena • ke1caM

#129

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

Sparkn

Sparkn

9.84 USDC • 4 total findings • CodeHawks • ke1cam

#56

medium

Malicious/Compromised organiser can reclaw all funds, stealing work from supporters

low

If a winner is blacklisted on any of the tokens they can't receive their funds

low

Centralization Risk for trusted organizers

low

Insufficient validation leads to locking up prize tokens forever

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

36.86 USDC • 5 total findings • CodeHawks • ke1cam

#85

high

Fee on transfer tokens will cause users to lose funds

high

Forcing a borrower to pay a huge debt via the giveLoan()

high

Hardcoded Router Address May Cause Token Lockup in Non-Standard Networks

low

Zero address leads to transaction reverts

gas

`Staked` struct is created but never used

Jun '23

Lybra Finance

Lybra Finance

29.06 USDC • 1 total finding • Code4rena • ke1caM

#76

medium

`stakerewardV2pool.withdraw()` should check the user's boost lock status.