https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/02d9f5f1-95a3-4e6e-94ca-7f3e6c8e7b29.png

montecristo

Junior Blockchain Security Researcher

Started my career as a blockchain security researcher in Dec. 2024. Took the 1st rank in multiple competitive audits

Contact Me

High

1

Solo

21

Total

Medium

2

Solo

18

Total

$23.54K

Total Earnings

#322 All Time

10x

Payouts

gold

2x

1st Places

regular

4x

Top 10

regular

6x

Top 25

All

Sherlock

Code4rena

Cantina

CodeHawks

Mar '25

Forte: Float128 Solidity Library

Forte: Float128 Solidity Library

11,397.24 USDC • 3 total findings • Code4rena • montecristo

gold

high

Early 72-digit adjustment in sqrt will lead to incorrect result exponent calculation

high

Natural Logarithm Function Silently Accepts Invalid Non-Positive Inputs

medium

Inconsistent mantissa size auto-scaling between packedFloat encoding and calculations will lead to unacceptable rounding errors

badger-ebtc-bsm

badger-ebtc-bsm

29.7 USDC • 2 total findings • Cantina • montecristo

#23

high

Finding not yet public.

high

Finding not yet public.

Feb '25

Yieldoor

Yieldoor

357.18 USDC • 4 total findings • Sherlock • montecristo

#5

high

Users can create 40x leverage position

high

Liquidation fee will not be claimed due to incorrect decimal handling

high

Cannot set liquidation fee recipient

medium

Rebalancing and compounding will fail on pools with negative tick

THORWallet

THORWallet

0 USDC • 1 total finding • Code4rena • montecristo

#10

medium

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Jan '25

Part 2

Part 2

10,845.19 usdc • 23 total findings • CodeHawks • glightspeed2

gold

high

The Deleverage Will apply twice on market USDtoken minting

high

Incorrect Credit Capacity Validation in `VaultRouterBranch.redeem` Enables Locked Collateral Drainage

high

Underflow when updating credit delegation will result protocol DoS

high

Vaults weth reward is not distributed correctly

high

Incorrect Debt Check in `CreditDelegationBranch::settleVaultsDebt` Function

high

Market-vault disconnection will bring permanent inconsistent state

high

Markets and vaults will not update their state until market fee is received, any deposits before market fee will not be reflected

high

Total market debt > 0 when credit deposits > netusdissuance which breaks key protocol logic

high

Incorrect calculation in CreditDelegationBranch::withdrawUsdTokenFromMarket allows attacker mint any amount of usdz

medium

No way to set UsdTokenSwapConfig pd curve parameters

medium

Due to not updating the Debt , the protocol will apply untended premium or discount

medium

Incorrect weight assignment in Vault::updateVaultAndCreditDelegationWeight leads to overleveraging vault positions and insolvency

medium

rebalanceVaultsAssets incorrectly accounts vaults' depositedUsdc

medium

Unable to swap USD token to collateral for vaults in credit

medium

The logic in `getPremiumDiscountFactor` is inverted: a discount is applied when Vault is in credit and a premium is applied if Vault is in debt

medium

Vault accumulated values do not reflect market change correctly

medium

Vault's total credit capacity keeps changing when being recalculated even though there is no market activity

medium

rebalanceVaultAssets will revert with erc20 insufficient balance error

medium

Usd token can be overwithdrawn from market

low

FullFill Swap will Fail due to minAmountOut wrong calculation

low

Lack of an update of the pool state will cause Initiate Swap to return an incorrect Amountout

low

Total debt used in fulfiling swap actions is wrong because we did not update the vault.

low

Protocol not fully compliant with ERC-7201

Aave v3.3

Aave v3.3

69.26 USDC • Sherlock • montecristo

#87

Dec '24

QuantAMM

QuantAMM

747.49 op • 4 total findings • CodeHawks • glightspeed2

#17

high

Denial of service when calculating the new weights if the rule requires previous moving averages

high

GradientBasedRules will not work for >=4 assets with vector lambdas

medium

Incorrect Handling Of Nft Self-Transfer In afterupdate Hook Allows The Owner To Grief A Buyer By Rendering The Nft Unable To Redeem Its Associated Liquidity, Resulting In A Loss Of Funds

medium

Incorrect implementation of QuantammMathGuard.sol#_clampWeights.

SecondSwap

SecondSwap

60.42 USDC • 3 total findings • Code4rena • montecristo

#38

medium

Listing potential can not be purchased with discounted price

medium

Rounding error in stepDuration calculations.

medium

Underflow in `claimable` DOSing `claim` Function

Autonomint Colored Dollar V1

Autonomint Colored Dollar V1

31.83 OP • 2 total findings • Sherlock • montecristo

#36

high

Malicious user will steal USDT from treasury

high

Approved ABONDToken spender will steal yields from treasury

Lambo.win

Lambo.win

0 USDC • 1 total finding • Code4rena • montecristo

#36

high

Minting zero tokens when underlyingToken is not Ether in cashIn()