https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/23f0e8c7-ac3b-4c93-8618-00a87f3573f6.jpg

neeloy

Security Researcher

Contact Me

High

30

Total

Medium

40

Total

$11.90K

Total Earnings

#608 All Time

39x

Payouts

gold

2x

1st Places

regular

11x

Top 10

regular

26x

Top 25

All

Sherlock

Code4rena

Cantina

Apr '26

Clear Macro by Superfluid

Clear Macro by Superfluid

15.79 USDC • Sherlock • neeloy

#57

Mar '26

Chainlink Payment Abstraction V2

Chainlink Payment Abstraction V2

0 USDC • 1 total finding • Code4rena • Agontuk

#11

medium

Finding not yet public.

Feb '26

Injective Peggy Bridge

Injective Peggy Bridge

44.12 USDC • 3 total findings • Code4rena • Agontuk

#16

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Jan '26

Olas

Olas

1.21 USDC • 1 total finding • Code4rena • Agontuk

#54

high

Insolvency via Cross-Service Reentrancy in StakingBase._withdraw

Fluid DEX v2

Fluid DEX v2

194.51 USDC • 2 total findings • Sherlock • neeloy

#10

high

Attacker will drain pooled liquidity from honest suppliers

medium

Liquidity-layer fallback will lock payouts for MoneyMarket users

OpenCover Insured Vaults

OpenCover Insured Vaults

22.47 USDC • Sherlock • neeloy

#54

Hotstuff

Hotstuff

29.70 USDC • Sherlock • neeloy

#39

Findings not publicly available for private contests.

Flying Tulip

Flying Tulip

117.32 USDC • Sherlock • neeloy

#84

Dec '25

Panoptic: Next Core

Panoptic: Next Core

527.31 USDC • 5 total findings • Code4rena • Agontuk

#15

high

BuilderWallet `init()` is unprotected/re-initializable, enabling takeover and theft of builder fees

medium

`RiskEngine::_getRequiredCollateralAtTickSinglePosition()` Fails to Accumulate Credits Across Multiple Legs, Leading to Potential Erroneous Liquidations

medium

Incorrect `UPPER_118BITS_MASK` Mask in `OraclePackLibrary` Causes Unexpected Clearing of `EMAs` and `lockMode` in `OraclePack`

medium

Division-by-zero in long-leg collateral requirement can block solvency checks and `dispatchFrom` (liquidation/force-exercise) for tickSpacing==1 pools

medium

Liquidations Can Be Permanently Blocked via `getLiquidationBonus()` Unsigned Underflow (Insolvent-but-Unliquidatable Accounts)

Rujira

Rujira

703.12 USDC • 8 total findings • Code4rena • Agontuk

#9

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Monolith Stablecoin Factory

Monolith Stablecoin Factory

208.42 USDC • 4 total findings • Sherlock • neeloy

#11

medium

A sole borrower will erase debt and leave stablecoin supply unbacked

medium

Borrowers will underpay decay interest, reducing protocol/Vault yield

medium

Redeemer will drain collateral from solvent borrowers

medium

Borrowers will halt interest accrual and starve stakers/protocol

Nov '25

Swafe

Swafe

15.58 USDC • 2 total findings • Code4rena • Agontuk

#23

medium

Replayable recovery requests allow attacker to permanently block account recovery

medium

Marking a backup makes recovery impossible (recover list never queried)

Sequence: Transaction Rails

Sequence: Transaction Rails

189.47 USDC • Code4rena • Agontuk

gold
Megapot

Megapot

0.13 USDC • 2 total findings • Code4rena • Agontuk

#25

medium

Incorrect ticket price reference in JackpotBridgeManager causes user overpayment after price updates

medium

Global Variable Manipulation During Active Draw Alters End Result

Oct '25

Covenant

Covenant

757.89 USDC • Code4rena • Agontuk

gold
Index Fun Order Book

Index Fun Order Book

70.67 USDC • 1 total finding • Sherlock • neeloy

#10

medium

Current epoch resolved while trading continues enables trade-after-known-result

Sequence

Sequence

2,109.39 USDC • 2 total findings • Code4rena • Agontuk

#4

medium

`BaseAuth.recoverSapientSignature` returns a constant instead of signer image hash, breaking sapient signer flows

medium

Static signatures bound to caller revert under ERC-4337, causing DoS

Sep '25

Ammplify

Ammplify

377.46 USDC • 7 total findings • Sherlock • neeloy

#16

high

Arbitrary token drain from Diamond via unverified Uniswap V3 mint callback

high

Settlement includes neighboring range, causing unintended mint/burn/collect outside requested ticks

high

Maker fees under-credited at non-visited nodes

medium

JIT penalty wrongly applied on close leading to user fund loss

medium

NFT minting via NFTManager DoS after 16 positions

medium

Ownership transfer cannot be completed, causing permanent admin rotation DoS

medium

Compounding maker cannot fully withdraw; funds become locked for sole holder

Aug '25

kuru-contracts

kuru-contracts

313.61 USDC • 1 total finding • Cantina • Agontuk1

#54

high

Finding not yet public.

May '25

primev-validator-registry

primev-validator-registry

0.18 USDC • 1 total finding • Cantina • Agontuk1

#6

high

Finding not yet public.

stability-contracts

stability-contracts

77.49 USDC • 1 total finding • Cantina • Agontuk1

#26

high

Finding not yet public.

circuit-puzzles

circuit-puzzles

1,139.23 USDC • 2 total findings • Cantina • Agontuk1

#8

high

Finding not yet public.

medium

Finding not yet public.

Apr '25

mezo-monorepo

mezo-monorepo

977.49 USDC • 1 total finding • Cantina • Agontuk1

#17

high

Finding not yet public.

Feb '25

defi-app-contracts

defi-app-contracts

11.53 USDC • 1 total finding • Cantina • Agontuk1

#26

high

Finding not yet public.

Jan '25

Liquid Ron

Liquid Ron

0 USDC • 1 total finding • Code4rena • Agontuk

#11

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

daao-contracts

daao-contracts

296.83 USDC • 5 total findings • Cantina • Agontuk1

#13

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

dahlia-protocol

dahlia-protocol

1,137.14 USDC • 1 total finding • Cantina • Agontuk1

#14

medium

Finding not yet public.

Pump Science

Pump Science

417.31 USDC • Code4rena • Agontuk

#6

Dec '24

SecondSwap

SecondSwap

6.98 USDC • 3 total findings • Code4rena • Agontuk

#45

high

`SecondSwap_Marketplace` vesting listing order affects how much the vesting buyers can claim at a given step

medium

Incorrect referral fee calculations

medium

maxSellPercent can be buypassed by selling previously bought vestings at a later time

Lambo.win

Lambo.win

196.51 USDC • 3 total findings • Code4rena • Agontuk

#16

high

Calculation for `directionMask` is incorrect

high

Minting zero tokens when underlyingToken is not Ether in cashIn()

medium

LP for v3 pool of underlying tokens with decimals != 18 would have incorrect NFT metadata

Nov '24

Concrete

Concrete

141.88 USDC • Code4rena • Agontuk

#55

Aug '24

Chakra

Chakra

2.03 USDT • 2 total findings • Code4rena • Agontuk

#54

high

Anyone can manipulate user nonce (nonce_manager) in settlement contract

high

In Starknet already processed messages can be re-submitted and by anyone

Superposition

Superposition

1.26 USDC • 1 total finding • Code4rena • Agontuk

#32

medium

_onTransferReceived() does not work as intended

Phi

Phi

9.15 USDC • 1 total finding • Code4rena • Agontuk

#47

high

Reentrancy Vulnerability Allows Bypass of Cooldown, Leading to Unfair Reward Extraction Through Flash Loan

Axelar Network

Axelar Network

0 USDC • Code4rena • Agontuk

#9

Jul '24

Basin

Basin

8.44 USDC • 1 total finding • Code4rena • Agontuk

#11

high

Incorrectly assigned `decimal1` parameter upon decoding

Reserve Core

Reserve Core

0 USDC • Code4rena • Agontuk

#7

TraitForge

TraitForge

284.23 USDC • 3 total findings • Code4rena • Agontuk

#16

high

The maximum number of generations is infinite

medium

Forger Entities can forge more times than intended

medium

Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`

LoopFi

LoopFi

1,493.94 USDC • 4 total findings • Code4rena • Agontuk

#13

high

`AuraVault::claim` reward calculation does not deduct fees from reward amount, causing DoS or extra rewards lost

medium

`PoolV3#repayCreditAccount()` use incorrect share converting function to calculate profit and loss

medium

Lack of Slippage Control in `AuraVault::deposit` and `AuraVault::mint` Functions Can Lead to Unexpected Financial Losses for Users

medium

Unclaimed Rewards Handling Issue in `AuraVault` Contract Functions (`AuraVault::deposit`, `AuraVault::mint`, `AuraVault::withdraw`, `AuraVault::redeem`)