Banner
https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_0.png

kenzo

Security Researcher

Contact Me

High

67

Total

Medium

1

Solo

73

Total

$133.24K

Total Earnings

#70 All Time

37x

Payouts

gold

7x

1st Places

silver

1x

2nd Places

bronze

2x

3rd Places

All

Sherlock

Code4rena

Immunefi

Apr '24

Audit Comp | Alchemix

Audit Comp | Alchemix

468 USDC • 2 total findings • Immunefi • Kenzo

#36

medium

Finding not yet public.

low

Finding not yet public.

Feb '24

Audit Comp | Puffer Finance

Audit Comp | Puffer Finance

956 USDC • 2 total findings • Immunefi • Kenzo

#16

medium

Finding not yet public.

low

Finding not yet public.

Mar '23

Y2K

Y2K

1,979.97 USDC • 7 total findings • Sherlock • kenzo

#8

high

When rolling over, user will lose his winnings from previous epoch

high

Depositor can totally bypass deposit fee using deposit queue

high

Rollover mechanism doesn't update the queue index counter after removing item from queue

high

When updating an existing rollover queue entry, `ownerToRollOverQueueIndex` will point to wrong place

medium

A null epoch can be resolved using `triggerEndEpoch`, thereby losing user funds

medium

`mintRollovers` might automatically generate bad rollover entries in which `assets<=relayerFee`, resulting in rollover bricking

medium

Emissions would be lost in null epochs

Neo Tokyo contest

Neo Tokyo contest

154.74 USDC • 1 total finding • Code4rena • kenzo

#18

high

Underflow of `lpPosition.points` during withdrawLP causes huge reward minting

Oct '22

Illuminate

Illuminate

4,554.52 USDC • 11 total findings • Sherlock • kenzo

#4

high

Infinite minting is possible for markets who don't support all protocols

high

Attacker can steal funds from redemptions by minting matured PTs

high

Minting iPTs through iPTs will inflate iPT's totalSupply and mess up accounting

high

Reentrancy in lending functions allows attacker to mint infinite amount of iPTs

high

User-supplied AMM pools and no input validation allows stealing of stEth protocol fees

high

`authRedeem` and `autoRedeem` do not check if the market is paused

high

`ERC5095.redeem/withdraw` do not work before token maturity

high

Reentrancy in redemption methods can lead to total bricking of Sense redemption

medium

Wrong slippage control in `ERC5095.mint` will make user get less tokens than deserved

medium

Protocol will lose fees when lending on Swivel and swapping in YieldPool

medium

Extra minting after `yield()` function causes iPT supply inflation and skewed accounting

Jul '22

Golom contest

Golom contest

2,521.29 USDC • Code4rena • kenzo

#8

Yield Witch v2 contest

Yield Witch v2 contest

40.44 USDC • Code4rena • kenzo

#35

Fractional v2 contest

Fractional v2 contest

6,232.65 USDC • 11 total findings • Code4rena • kenzo

gold

high

Proposal which started buyout which fails is able to settle migration as if its buyout succeeded.

high

Fund will be stuck if a buyout is started while there are pending migration proposals

high

Division rounding can make fraction-price lower than intended (down to zero)

high

Migration: no check that user-supplied `proposalId` and `vault` match

high

Migration::withdrawContribution falsely assumes that user should get exactly his original contribution back

high

Migration's `leave` function allows leaving a committed proposal

high

Cash-out from a successful buyout allows an attacker to drain Ether from the `Buyout` contract

high

Malicious User Could Burn The Assets After A Successful Migration

high

```migrateFractions``` may be called more than once by the same user which may lead to loss of tokens for other users

medium

An attacker can DoS vault's buyout with as little as 1 wei per 4 days

medium

A VAULT OWNER CAN FRONTRUN A PLUGIN CALL AND CHANGE ITS IMPLEMENTATION

Jun '22

Nibbl contest

Nibbl contest

230.23 USDC • 1 total finding • Code4rena • kenzo

#16

medium

NibblVault: In the buy function, users can avoid paying fees

Illuminate contest

Illuminate contest

7,670.49 USDC • 19 total findings • Code4rena • kenzo

gold

high

Allowance check always true in ERC5095 redeem

high

Redeemer.redeem() for Element withdraws PT to wrong address.

high

Tempus lend method wrongly calculates amount of iPT tokens to mint

high

Redeem Sense can be bricked

high

ERC5095 redeem/withdraw does not update allowances

high

Lender: no check for paused market on mint

high

Incorrect implementation of APWine and Tempus `redeem`

high

Unable to redeem from Notional

high

Able to mint any amount of PT

high

Funds may be stuck when `redeeming` for Illuminate

high

Illuminate PT redeeming allows for burning from other accounts

high

[H-05] Not minting iPTs for lenders in several lend functions

high

Pendle Uses Wrong Return Value For `swapExactTokensForTokens()`

medium

Swivel lend method doesn't pull protocol fee from user

medium

Lend method signature for illuminate does not track the accumulated fee

medium

sellPrincipalToken, buyPrincipalToken, sellUnderlying, buyUnderlying uses pool funds but pays msg.sender

medium

[M-01] Easily bypassing admins 'pause' for swivel

medium

`Lender.mint()` May Take The Illuminate PT As Input Which Will Transfer And Mint More Illuminate PT Cause an Infinite Supply

medium

Centralisation Risk: Admin Can Change Important Variables To Steal Funds

Badger-Vested-Aura contest

Badger-Vested-Aura contest

286.3 USDC • 2 total findings • Code4rena • kenzo

#11

medium

`_harvest` has no slippage protection when swapping `auraBAL` for `AURA`

medium

Badger rewards from Hidden Hand can permanently prevent Strategy from receiving bribes

Infinity NFT Marketplace contest

Infinity NFT Marketplace contest

2,839.95 USDC • 4 total findings • Code4rena • kenzo

#4

high

Sellers may lose NFTs when orders is matched with `matchOrders()`

high

Reentrancy from matchOneToManyOrders

high

Accumulated ETH fees of InfinityExchange cannot be retrieved

medium

InfinityExchange computes gas refunds in a way where the first order's buyer pays less than the later ones

Notional x Index Coop

Notional x Index Coop

1,894.4 USDC • 1 total finding • Code4rena • kenzo

#10

high

Rounding Issues In Certain Functions

May '22

Velodrome Finance contest

Velodrome Finance contest

2,912.92 USDC • 1 total finding • Code4rena • kenzo

#9

high

Users can get unlimited votes

Rubicon contest

Rubicon contest

1,329.4 USDC • 10 total findings • Code4rena • kenzo

#12

high

RubiconRouter _swap does not pass whole amount to RubiconMarket

high

RubiconRouter: Offers created through offerWithETH() can be cancelled by anyone

medium

USDT is not supported because of approval mechanism

medium

Strategists can't be removed

medium

previewWithdraw calculates shares wrongly

medium

Strategists can take more rewards than they should using the function strategistBootyClaim().

medium

No cap on fees can result in a DOS in BathToken.withdraw()

medium

Possible token reentrancy in release() of BathBuddy.sol

medium

Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`

medium

Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter

Aura Finance contest

Aura Finance contest

5,338.79 USDC • 1 total finding • Code4rena • kenzo

#10

medium

AuraLocker kick reward only takes last locked amount into consideration, instead of whole balance

FactoryDAO contest

FactoryDAO contest

2,984.74 DAI • 5 total findings • Code4rena • kenzo

bronze

high

MerkleVesting withdrawal does not verify that tokens were transferred successfully

high

SpeedBumpPriceGate: Excess ether did not return to the user

medium

Malicious token reward could disable withdrawals

medium

amount requires to be updated to contract balance increase (1)

medium

ERC20 tokens with different decimals than 18 leads to loss of funds

Forgotten Runes Warrior Guild contest

Forgotten Runes Warrior Guild contest

48.66 USDC • Code4rena • kenzo

#46

Apr '22

AbraNFT contest

AbraNFT contest

1,277.75 MIM • 2 total findings • Code4rena • kenzo

#10

high

Critical Oracle Manipulation Risk by Lender

medium

Reentrancy at _requestLoan allows requesting a loan without supplying collateral

Feb '22

Redacted Cartel contest

Redacted Cartel contest

276.58 USDC • 1 total finding • Code4rena • kenzo

#22

medium

[WP-H0] `DEFAULT_ADMIN_ROLE` of `BribeVault` can steal tokens from users' wallets

Nested Finance contest

Nested Finance contest

1,908.87 USDC • 1 total finding • Code4rena • kenzo

#5

medium

Wrong logic around `areOperatorsImported`

Jan '22

Yield-Convex contest

Yield-Convex contest

5,796.2 USDC • 2 total findings • Code4rena • kenzo

silver

high

Malicious Users Can Duplicate Protocol Earned Yield By Transferring `wCVX` Tokens To Another Account

medium

Oracle data feed is insufficiently validated.

Sherlock contest

Sherlock contest

1,095.71 USDC • Code4rena • kenzo

#14

Sandclock contest

Sandclock contest

2,604.78 USDC • 4 total findings • Code4rena • kenzo

#7

high

deposit() function is open to reentrancy attacks

high

Vaults with non-UST underlying asset vulnerable to flash loan attack on curve pool

medium

No setter for exchangeRateFeeder, whose address might change in future

medium

Changing a strategy can be bricked

XDEFI contest

XDEFI contest

939.38 USDC • 2 total findings • Code4rena • kenzo

#4

high

The reentrancy vulnerability in _safeMint can allow an attacker to steal all rewards

medium

`_safeMint` Will Fail Due To An Edge Case In Calculating `tokenId` Using The `_generateNewTokenId` Function

Dec '21

Yeti Finance contest

Yeti Finance contest

14,768.76 USDC • Code4rena • kenzo

gold
Amun contest

Amun contest

3,426.19 USDC • 3 total findings • Code4rena • kenzo

#6

medium

SingleNativeTokenExitV2 assumes first exchange holds the outputToken

medium

`totalSupply` may exceed `LibBasketStorage.basketStorage().maxCap`

medium

block.timestamp or deadline

PoolTogether TwabRewards contest

PoolTogether TwabRewards contest

1,071.87 USDC • 5 total findings • Code4rena • kenzo

#5

high

Malicious tickets can lead to the loss of all tokens

high

Continue claiming reqrds after numberOfEpochs are over

high

cancelPromotion is too rigorous

high

Rewards can be claimed multiple times

medium

`cancelPromotion()` Unable to cancel unstarted promotions

Perennial contest

Perennial contest

12,537.98 USDC • 1 total finding • Code4rena • kenzo

gold

high

Wrong shortfall calculation

Kuiper contest

Kuiper contest

5,841.96 ETH • 9 total findings • Code4rena • kenzo

gold

high

Reentrancy in settleAuction(): malicious publisher can bypass index timelock mechanism, inject malicious index, and rug the basket

high

Bonding mechanism allows malicious user to DOS auctions

high

Wrong fee calculation after totalSupply was 0

medium

Auction settler can steal user funds if bond timestamp is high enough

medium

User can mint miniscule amount of shares, later withdraw miniscule more than deposited

medium

Basket becomes unusable if everybody burns their shares

medium

Auction bonder can steal user funds if bond block is high enough

medium

`Basket.sol#mint()` Malfunction due to extra `nonReentrant` modifier

medium

Lost fees due to precision loss in fees calculation

Nov '21

Streaming Protocol contest

Streaming Protocol contest

4,548.09 USDC • 3 total findings • Code4rena • kenzo

#8

high

recoverTokens doesn't work when isSale is true

high

Reward token not correctly recovered

high

Wrong calculation of excess depositToken allows stream creator to retrieve `depositTokenFlashloanFeeAmount`, which may cause fund loss to users

Unlock Protocol contest

Unlock Protocol contest

4,980.49 USDC • 7 total findings • Code4rena • kenzo

#4

medium

Frontrunning `PublicLock.initialize()` can prevent upgrades due to insufficient access control

medium

Support of different ERC20 tokens

medium

MixinPurchase:shareKey allows to generate keys without purchasing

medium

Key buyers will not be able to get refund if lock manager withdraws profits

medium

Refund mechanism doesn't take into account that key price can change

medium

Missing maxNumberOfKeys checks in shareKey and grantKey

medium

Key transfer will destroy key if from==to

Oct '21

Slingshot Finance contest

Slingshot Finance contest

10,594.91 ETH • 2 total findings • Code4rena • kenzo

gold

medium

`initialBalance` for native token is wrong

medium

Trades where toToken is feeOnTransferToken might send user less tokens than finalAmountMin

BadgerDAO ibBTC Wrapper contest

BadgerDAO ibBTC Wrapper contest

1,989.68 ETH • 2 total findings • Code4rena • kenzo

#5

high

WrappedIbbtcEth contract will use stalled price for mint/burn if updatePricePerShare wasn't run properly

medium

No sanity check on pricePerShare might lead to lost value

Union Finance contest

Union Finance contest

3,863.37 ETH • 2 total findings • Code4rena • kenzo

#5

medium

debtWriteOff updates totalFrozen immaturely, thereby losing staker rewards

medium

Comptroller rewards can be artificially inflated and drained by manipulating [totalStaked - totalFrozen] (or: wrong rewards calculation)

Kuiper contest

Kuiper contest

8,502.4 USDC • 9 total findings • Code4rena • kenzo

gold

high

Reentrancy in settleAuction(): malicious publisher can bypass index timelock mechanism, inject malicious index, and rug the basket

high

Bonding mechanism allows malicious user to DOS auctions

high

Wrong fee calculation after totalSupply was 0

medium

Auction settler can steal user funds if bond timestamp is high enough

medium

User can mint miniscule amount of shares, later withdraw miniscule more than deposited

medium

Basket becomes unusable if everybody burns their shares

medium

Auction bonder can steal user funds if bond block is high enough

medium

`Basket.sol#mint()` Malfunction due to extra `nonReentrant` modifier

medium

Lost fees due to precision loss in fees calculation

Sep '21

Kuiper contest

Kuiper contest

4,768.64 USDC • 9 total findings • Code4rena • kenzo

bronze

high

Reentrancy in settleAuction(): malicious publisher can bypass index timelock mechanism, inject malicious index, and rug the basket

high

Bonding mechanism allows malicious user to DOS auctions

high

Wrong fee calculation after totalSupply was 0

medium

Auction settler can steal user funds if bond timestamp is high enough

medium

User can mint miniscule amount of shares, later withdraw miniscule more than deposited

medium

Basket becomes unusable if everybody burns their shares

medium

Auction bonder can steal user funds if bond block is high enough

medium

`Basket.sol#mint()` Malfunction due to extra `nonReentrant` modifier

medium

Lost fees due to precision loss in fees calculation