Banner
https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/43a02781-509c-49a8-84c8-6b393982a955.jpg

leastwood

Security Researcher

Independent Security Researcher | Lead Security Researcher @SpearbitDAO | Fellow @paradigm | Warden & Judge @code4rena

Contact Me

High

75

Total

Medium

87

Total

$455.92K

Total Earnings

#19 All Time

41x

Payouts

gold

9x

1st Places

silver

8x

2nd Places

bronze

6x

3rd Places

All

Sherlock

Code4rena

Mar '23

Notional V3

Notional V3

126,266.83 USDC • Sherlock • leastwood

#10

Sep '22

Harpie

Harpie

3,316.84 USDC • 2 total findings • Sherlock • leastwood

#14

medium

Compromised `transferEOAs` and `feeController` addresses can ransom attack all owner addresses

medium

Rebasing tokens will leak value when interacting with the `Vault` contract

May '22

Sturdy contest

Sturdy contest

1,376.01 USDC • 2 total findings • Code4rena • leastwood

#10

medium

Title: Yield can be unfairly divided because of MEV/Just-in-time stablecoin deposits

medium

`processYield()` and `distributeYield()` may run out of gas and revert due to long list of extra rewards/yields

Enso Finance contest

Enso Finance contest

23,426.89 USDT • Code4rena • leastwood

gold
FactoryDAO contest

FactoryDAO contest

685.32 DAI • 6 total findings • Code4rena • leastwood

#11

high

SpeedBumpPriceGate: Excess ether did not return to the user

medium

Malicious token reward could disable withdrawals

medium

safeTransferFrom is recommended instead of transfer (1)

medium

amount requires to be updated to contract balance increase (1)

medium

ERC20 tokens with different decimals than 18 leads to loss of funds

medium

Centralisation Risk: Owner may abuse the tax rate to claim 99.9% of pools

Forgotten Runes Warrior Guild contest

Forgotten Runes Warrior Guild contest

622.23 USDC • 2 total findings • Code4rena • leastwood

#15

medium

Use of `.send()` May Revert if The Recipient's Fallback Function Consumes More Than 2300 Gas

medium

Critical variables shouldn't be changed after they are set

bunker.finance contest

bunker.finance contest

17,568.24 USDC • 2 total findings • Code4rena • leastwood

gold

medium

`COMP` Distributions Can Be Manipulated And Duplicated Across Any Number Of Accounts

medium

`call()` should be used instead of `transfer()` on an `address payable`

Apr '22

PoolTogether Aave v3 contest

PoolTogether Aave v3 contest

3,642.27 USDC • 2 total findings • Code4rena • leastwood

silver

high

[WP-H1] A malicious early user/attacker can manipulate the vault's pricePerShare to take an unfair share of future users' deposits

medium

`RewardsController` Emission Manager Can Authorize Users to Claim on Behalf of the `AaveV3YieldSource` Contract and Siphon Yield

Mar '22

Joyn contest

Joyn contest

4,160.27 USDC • 7 total findings • Code4rena • leastwood

gold

high

Duplicate NFTs Can Be Minted if `payableToken` Has a Callback Attached to it

high

Splitter: Anyone can call incrementWindow to steal the tokens in the contract

high

CoreCollection can be reinitialized

high

ERC20 transferFrom return values not checked

high

Centralisation RIsk: Owner Of `RoyaltyVault` Can Take All Funds

medium

`RoyaltyVault.sol` is Not Equipped to Handle On-Chain Royalties From Secondary Sales

medium

Ineffective Handling of FoT or Rebasing Tokens

Paladin contest

Paladin contest

4,151.74 USDC • 1 total finding • Code4rena • leastwood

bronze

medium

Users Can Bypass Emergency Restrictions on updateUserRewardState()

prePO contest

prePO contest

2,416.96 USDC • 2 total findings • Code4rena • leastwood

#4

high

Withdrawal delay can be circumvented

medium

Market expiry behaviour differs in implementation and documentation

Feb '22

Foundation contest

Foundation contest

18,292.76 USDC • 8 total findings • Code4rena • leastwood

gold

high

NFT owner can create multiple auctions

high

An offer made after auction end can be stolen by an auction winner

medium

Primary seller can avoid paying the primary fee

medium

Fees Are Incorrectly Charged on Unfinalized NFT Sales

medium

There is no Support For The Trading of Cryptopunks

medium

`buyFromPrivateSaleFor()` Will Fail if The Buyer Has Insufficient Balance Due to an Open Offer on The Same NFT

medium

`_getCreatorPaymentInfo()` is Not Equipped to Handle Reverts on an Unbounded `_recipients` Array

medium

`adminAccountMigration()` Does Not Update `buyPrice.seller`

JPYC contest

JPYC contest

3,484.08 USDC • Code4rena • leastwood

silver
SKALE contest

SKALE contest

9,342.09 USDC • 1 total finding • Code4rena • leastwood

#4

high

Gas Pricing Can Be Used To Extort Funds From Users of SChain Owner

Hubble contest

Hubble contest

1,761.88 USDC • 3 total findings • Code4rena • leastwood

#12

high

denial fo service

medium

liquidation is vulnerable to sandwich attacks

medium

Liquidations can be run on the bogus Oracle prices

Redacted Cartel contest

Redacted Cartel contest

1,920.08 USDC • 3 total findings • Code4rena • leastwood

#6

medium

Users Can Frontrun Calls to `updateRewardsMetadata()` And Claim Tokens Twice

medium

Send ether with call instead of transfer.

medium

SafeERC20.sol is imported but not used in the transferBribes() function

Concur Finance contest

Concur Finance contest

17,348.72 USDC • 18 total findings • Code4rena • leastwood

gold

high

Shelter `claimed` mapping is set with `_to` address and not `msg.sender`

high

Masterchef: Improper handling of deposit fee

high

`ConvexStakingWrapper.exitShelter()` Will Lock LP Tokens, Preventing Users From Withdrawing

high

`ConvexStakingWrapper._calcRewardIntegral()` Can Be Manipulated To Steal Tokens From Other Pools

high

[WP-H8] `ConvexStakingWrapper.sol#_calcRewardIntegral` Wrong implementation can disrupt rewards calculation and distribution

high

[WP-H13] `MasterChef.sol` Users won't be able to receive the `concur` rewards

high

[WP-H14] `ConvexStakingWrapper`, `StakingRewards` Wrong implementation will send `concur` rewards to the wrong receiver

high

Wrong reward token calculation in MasterChef contract

high

Repeated Calls to Shelter.withdraw Can Drain All Funds in Shelter

high

USDMPegRecovery Risk of fund locked, due to discrepancy between curveLP token value against internal contract math

medium

`MasterChef.updatePool()` Fails To Update Reward Variables If `block.number >= endBlock`

medium

`ConvexStakingWrapper.enterShelter()` May Erroneously Overwrite `amountInShelter` Leading To Locked Tokens

medium

Users Will Lose Rewards If The Shelter Mechanism Is Enacted Before A Recent Checkpoint

medium

Users Will Lose Concur Rewards If The Shelter Mechanism Is Enacted On A Pool

medium

If The Staking Token Exists In Both `StakingRewards.sol` And `ConvexStakingWrapper.sol` Then It Will Be Possible To Continue Claiming Concur Rewards After The Shelter Has Been Activated

medium

Donated Tokens Cannot Be Recovered If A Shelter Is Deactivated

medium

[ConcurRewardPool] Possible reentrancy when claiming rewards

medium

`USDMPegRecovery.provide()` Will Fail If There Is An Excess Of `usdm` Tokens

Jan '22

Yield-Convex contest

Yield-Convex contest

12,844.92 USDC • 3 total findings • Code4rena • leastwood

gold

high

Malicious Users Can Duplicate Protocol Earned Yield By Transferring `wCVX` Tokens To Another Account

high

Malicious Users Can Transfer Vault Collateral To Other Accounts To Extract Additional Yield From The Protocol

medium

Oracle data feed is insufficiently validated.

Notional contest

Notional contest

30,568.83 USDC • 9 total findings • Code4rena • leastwood

gold

high

DAO proposals can be executed by anyone due to vulnerable TimelockController

high

DOS by Frontrunning NoteERC20 `initialize()` Function

high

Potential DOS in Contracts Inheriting `UUPSUpgradeable.sol`

high

Treasury cannot claim COMP tokens & COMP tokens are stuck

high

A Malicious Treasury Manager Can Burn Treasury Tokens By Setting `makerFee` To The Amount The Maker Receives

medium

`_validateOrder` Does Not Allow Anyone To Be A Taker Of An Off-Chain Order

medium

`getVotingPower` Is Not Equipped To Handle On-Chain Voting

medium

Usage of deprecated ChainLink API in `EIP1271Wallet`

medium

`sNOTE` Holders Are Not Incetivized To Vote On Proposals To Call `extractTokensForCollateralShortfall`

InsureDAO contest

InsureDAO contest

6,727.84 tokens) • 3 total findings • Code4rena • leastwood

silver

high

Malicious Market Creators Can Steal Tokens From Unsuspecting Approved Reference Accounts

high

[WP-H33] `IndexTemplate.sol` Wrong implementation allows lp of the index pool to resume a locked `PayingOut` pool and escape the responsibility for the compensation

medium

System Debt Is Not Handled When Insurance Pools Become Insolvent

Sandclock contest

Sandclock contest

2,578.49 USDC • 5 total findings • Code4rena • leastwood

#8

high

deposit() function is open to reentrancy attacks

high

Vaults with non-UST underlying asset vulnerable to flash loan attack on curve pool

medium

A Single Malicious Trusted Account Can Takeover Parent Contract

medium

`investedAssets()` Does Not Take Into Consideration The Performance Fee Charged On Strategy Withdrawals

medium

unsponsor, claimYield and withdraw might fail unexpectadly

XDEFI contest

XDEFI contest

178.02 USDC • 1 total finding • Code4rena • leastwood

#18

medium

`_safeMint` Will Fail Due To An Edge Case In Calculating `tokenId` Using The `_generateNewTokenId` Function

Dec '21

Vader Protocol contest

Vader Protocol contest

4,325.87 USDC • 14 total findings • Code4rena • leastwood

silver

high

Anyone Can Arbitrarily Mint Synthetic Assets In `VaderPoolV2.mintSynth()`

high

Anyone Can Arbitrarily Mint Fungible Tokens In `VaderPoolV2.mintFungible()`

high

Incorrect Price Consultation Results

high

Newly Registered Assets Skew Consultation Results

high

Incorrect Accrual Of `sumNative` and `sumUSD` In Producing Consultation Results

high

`previousPrices` Is Never Updated Upon Syncing Token Price

high

`totalLiquidityWeight` Is Updated When Adding New Token Pairs Which Skews Price Data For `getVaderPrice` and `getUSDVPrice`

high

`VaderPoolV2` minting synths & fungibles can be frontrun

high

`USDV.sol` Mint and Burn Amounts Are Incorrect

high

Oracle doesn't calculate USDV/VADER price correctly

medium

`BasePool.mint()` Is Callable By Anyone

medium

`BasePool.swap()` Is Callable By Anyone

medium

Lacking Validation Of Chainlink' Oracle Queries

medium

Users Can Reset Bond Depositor's Vesting Period

NFTX contest

NFTX contest

7,806.98 USDC • 5 total findings • Code4rena • leastwood

silver

high

A vault can be locked from MarketplaceZap and StakingZap

medium

transfer return value is ignored

medium

`buyAndSwap1155WETH` Does Not Work As Intended

medium

Dishonest Stakers Can Siphon Rewards From `xToken` Holders Through The `deposit` Function In `NFTXInventoryStaking`

medium

`xToken` Approvals Allow Spenders To Spend More Tokens

Sublime contest

Sublime contest

6,572.11 USDC • 3 total findings • Code4rena • leastwood

bronze

high

Aave's share tokens are rebasing breaking current strategy code

high

`PriceOracle` Does Not Filter Price Feed Outliers

high

Unable To Call `emergencyWithdraw` ETH in `NoYield` Contract

PoolTogether TwabRewards contest

PoolTogether TwabRewards contest

2,155.15 USDC • 5 total findings • Code4rena • leastwood

silver

high

Malicious tickets can lead to the loss of all tokens

high

Continue claiming reqrds after numberOfEpochs are over

high

Backdated _startTimestamp can lead to loss of funds

medium

Missing Check When Transferring Tokens Out For A Given Promotion

medium

Dust Token Balances Cannot Be Claimed By An `admin` Account

Perennial contest

Perennial contest

12,537.98 USDC • 1 total finding • Code4rena • leastwood

gold

high

`withdrawTo` Does Not Sync Before Checking A Position's Margin Requirements

Nov '21

Malt Finance contest

Malt Finance contest

7,426.18 USDC • 9 total findings • Code4rena • leastwood

bronze

medium

Users Can Contribute To An Auction Without Directly Committing Collateral Tokens

medium

`StabilizerNode` Will Mint An Incentive For Triggering An Auction Even If An Auction Exists Already

medium

_notSameBlock() can be circumvented in bondToAccount()

medium

`_calculateMaltRequiredForExit` Uses Spot Price To Calculate Malt Quantity In `exitEarly`

medium

Frontrunning in UniswapHandler calls to UniswapV2Router

medium

`addLiquidity` Does Not Reset Approval If Not All Tokens Were Added To Liquidity Pool

medium

`_distributeRewards` Does Not Reset Approval If Not All Tokens Were Allocated

medium

Malt Protocol Uses Stale Results From `MaltDataLab` Which Can Be Abused By Users

medium

theft of system profit

Vader Protocol contest

Vader Protocol contest

10,200.14 USDC • 14 total findings • Code4rena • leastwood

bronze

high

Anyone Can Arbitrarily Mint Synthetic Assets In `VaderPoolV2.mintSynth()`

high

Anyone Can Arbitrarily Mint Fungible Tokens In `VaderPoolV2.mintFungible()`

high

Incorrect Price Consultation Results

high

Newly Registered Assets Skew Consultation Results

high

Incorrect Accrual Of `sumNative` and `sumUSD` In Producing Consultation Results

high

`previousPrices` Is Never Updated Upon Syncing Token Price

high

`totalLiquidityWeight` Is Updated When Adding New Token Pairs Which Skews Price Data For `getVaderPrice` and `getUSDVPrice`

high

`VaderPoolV2` minting synths & fungibles can be frontrun

high

`USDV.sol` Mint and Burn Amounts Are Incorrect

high

Oracle doesn't calculate USDV/VADER price correctly

medium

`BasePool.mint()` Is Callable By Anyone

medium

`BasePool.swap()` Is Callable By Anyone

medium

Lacking Validation Of Chainlink' Oracle Queries

medium

Users Can Reset Bond Depositor's Vesting Period

FairSide contest

FairSide contest

5,960.99 ETH • 3 total findings • Code4rena • leastwood

silver

high

Anyone Can Arbitrarily Call `FSDVesting.updateVestedTokens()`

high

FSDVesting: Claiming tributes should call FSD token's corresponding functions

medium

`TributeAccrual.availableTribute()` & `TributeAccrual.availableGovernanceTribute()` Distributes Tributes Unfairly

Boot Finance contest

Boot Finance contest

1,086.67 USDC • 2 total findings • Code4rena • leastwood

#10

high

Unable to claim vesting due to unbounded timelock loop

medium

Overwrite benRevocable

Oct '21

BadgerDAO ibBTC Wrapper contest

BadgerDAO ibBTC Wrapper contest

0 ETH • 1 total finding • Code4rena • leastwood

#19

high

WrappedIbbtcEth contract will use stalled price for mint/burn if updatePricePerShare wasn't run properly

Mochi contest

Mochi contest

13,459.47 ETH • 8 total findings • Code4rena • leastwood

bronze

high

registerAsset() can overwrite _assetClass value

high

`treasuryShare` is Overwritten in `FeePoolV0._shareMochi()`

high

Tokens Can Be Stolen By Frontrunning `VestedRewardPool.vest()` and `VestedRewardPool.lock()`

medium

Improper Validation Of `create2` Return Value

medium

`MochiTreasuryV0.withdrawLock()` Is Callable When Locking Has Been Toggled

medium

`MochiTreasuryV0.sol` Is Unusable In Its Current State

medium

Unchecked ERC20 transfer calls

medium

Chainlink's `latestRoundData` might return stale or incorrect results

Tally contest

Tally contest

589.46 ETH • Code4rena • leastwood

#6

PoolTogether v4 contest

PoolTogether v4 contest

42,100.93 USDC • 2 total findings • Code4rena • leastwood

gold

high

Miners Can Re-Roll the VRF Output to Game the Protocol

medium

`PrizePool.awardExternalERC721()` Erroneously Emits Events

Sep '21

Swivel contest

Swivel contest

2,892.7 ETH • 2 total findings • Code4rena • leastwood

#7

high

Unsafe handling of underlying tokens

medium

Admin is a single-point of failure without any mitigations

Wild Credit contest

Wild Credit contest

1,070.53 USDC • 1 total finding • Code4rena • leastwood

#6

medium

Use of deprecated Chainlink API

Kuiper contest

Kuiper contest

1,900.29 USDC • 2 total findings • Code4rena • leastwood

#8

medium

`onlyOwner` Role Can Unintentionally Influence `settleAuction()`

medium

Use safeTransfer instead of transfer

Sushi Miso contest

Sushi Miso contest

4,420.82 USDC • Code4rena • leastwood

#6

Aug '21

Notional contest

Notional contest

35,784.57 USDC • 9 total findings • Code4rena • leastwood

silver

high

DAO proposals can be executed by anyone due to vulnerable TimelockController

high

DOS by Frontrunning NoteERC20 `initialize()` Function

high

Potential DOS in Contracts Inheriting `UUPSUpgradeable.sol`

high

Treasury cannot claim COMP tokens & COMP tokens are stuck

high

A Malicious Treasury Manager Can Burn Treasury Tokens By Setting `makerFee` To The Amount The Maker Receives

medium

`_validateOrder` Does Not Allow Anyone To Be A Taker Of An Off-Chain Order

medium

`getVotingPower` Is Not Equipped To Handle On-Chain Voting

medium

Usage of deprecated ChainLink API in `EIP1271Wallet`

medium

`sNOTE` Holders Are Not Incetivized To Vote On Proposals To Call `extractTokensForCollateralShortfall`

Reality Cards contest

Reality Cards contest

2,950.83 tokens) • 1 total finding • Code4rena • leastwood

bronze

medium

Uninitialized Variable `marketWhitelist` in `RCTreasury.sol`