https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_4.png

neko_nyaa

Security Researcher

Contact Me

High

6

Total

Medium

12

Total

$3.52K

Total Earnings

#852 All Time

14x

Payouts

gold

2x

1st Places

regular

5x

Top 10

regular

11x

Top 25

All

Sherlock

Code4rena

Nov '24

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • neko_nyaa

gold

high

Token distributor sends project tokens to `msg.sender` instead of to VC's `kycAddress`, allows direct stealing with front-running

Aug '24

Perennial V2 Update #3

Perennial V2 Update #3

359.48 USDC • 1 total finding • Sherlock • neko_nyaa

#7

high

No access control on `updateExtension()`, anyone can become a protocol-wide operator and change any positions at will

Winnables Raffles

Winnables Raffles

934.40 USDC • 8 total findings • Sherlock • neko_nyaa

gold

high

`WinnablesTicketManager.refundPlayers()` never updates `_lockedETH`, causing subsequent protocol revenues to be permanently locked

high

Raffles can be instantly cancelled by anyone as soon as they are created

high

No validation for `prizeManager`, anyone can lock prizes forever by calling `cancelRaffle()` or `propagateRaffleWinner()` with an arbitrary address

medium

Admin can unrestrictedly affect the odds of a raffle by setting themselves up with role(1) in `WinnablesTicket`

medium

`_setRole()` always grants the user the role, regardless of whether `status` is set to true or false

medium

Admin can deny winnings by disabling the approved CCIP counterpart, causing results propagation to fail

medium

Out-of-gas revert in `WinnablesTicket.ownerOf()` may prevent raffles from settling, locking prizes in the Manager

medium

Raffles with exactly `minTicketsThreshold` tickets sold can still be cancelled

Jun '23

Llama

Llama

48.22 USDC • Code4rena • neko_nyaa

#23

Dec '22

Forgeries contest

Forgeries contest

403.97 USDC • Code4rena • neko_nyaa

#11

PoolTogether contest

PoolTogether contest

338.92 USDC • Code4rena • neko_nyaa

#10

NounsDAO

NounsDAO

114.65 USDC • 1 total finding • Sherlock • neko_nyaa

#6

medium

`rescueERC20()` does not rescue stream tokens, however it is easily possible to support such functionality.

Nov '22

Blur Exchange contest

Blur Exchange contest

447.04 USDC • 1 total finding • Code4rena • neko_nyaa

#20

medium

Pool designed to be upgradeable but does not set owner, making it unupgradeable

SIZE contest

SIZE contest

190.87 USDC • 2 total findings • Code4rena • neko_nyaa

#19

medium

Incompatibility with fee-on-transfer/inflationary/deflationary/rebasing tokens, on both base tokens and quote tokens, with varying impacts

medium

Solmate's ERC20 does not check for token contract's existence, which opens up possibility for a honeypot attack

Oct '22

Paladin - Warden Pledges contest

Paladin - Warden Pledges contest

31.16 USDC • Code4rena • neko_nyaa

#30

Blur Exchange contest

Blur Exchange contest

32.65 USDC • 1 total finding • Code4rena • neko_nyaa

#23

medium

Pool designed to be upgradeable but does not set owner, making it unupgradeable

Sep '22

QuickSwap and StellaSwap contest

QuickSwap and StellaSwap contest

35.48 USDC • 1 total finding • Code4rena • neko_nyaa

#53

medium

A "FrontRunning attack" can be made to the `initialize` function

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

72.55 USDC • 1 total finding • Code4rena • neko_nyaa

#34

medium

Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter

VTVL contest

VTVL contest

416.87 USDC • 1 total finding • Code4rena • neko_nyaa

#15

high

Permanent freeze of vested tokens due to overflow in _baseVestedAmount