https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/a0bfd66d-c55e-475b-ba9e-17934bb25c23.jpg

neumo

Security Researcher

I hunt for bugs. Get a quote * https://t.co/eiX4SonIFu * https://t.co/t9oFpJ7H2P

Contact Me

High

17

Total

Medium

22

Total

$41.71K

Total Earnings

#214 All Time

36x

Payouts

gold

2x

1st Places

silver

1x

2nd Places

regular

9x

Top 10

All

Sherlock

Code4rena

Cantina

Hats Finance

May '24

Euler-v2

Euler-v2

13,669 USDC • Cantina • neumo

#13

Feb '24

Rio Network

Rio Network

1,240.50 USDC • 1 total finding • Sherlock • neumo

#22

medium

Wrong accounting of ethBalanceInUnverifiedValidators when validating withdraw credentials

Jan '24

Blast

Blast

8,765.91 USDC • 1 total finding • Cantina • neumo

#35

high

Finding not yet public.

Nov '23

morpho-blue

morpho-blue

1,893.18 USDC • 1 total finding • Cantina • neumo

#12

high

Finding not yet public.

ether.fi

ether.fi

1,600 USDC • Hats • neumo

gold

Sep '23

Venus Prime

Venus Prime

235.12 USDC • 2 total findings • Code4rena • neumo

#15

high

A malicious user can avoid unfavorable score updates after alpha/multiplier changes, resulting in accrual of outsized rewards for the attacker at the expense of other users

medium

DoS and gas griefing of calls to Prime.updateScores()

Maia DAO - Ulysses

Maia DAO - Ulysses

20.01 USDC • 1 total finding • Code4rena • neumo

#56

medium

Message channels can be blocked resulting in DoS

Convergence Finance

Convergence Finance

121.5 DAI • Hats • neumo

#7

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

165.8 USDC • Code4rena • neumo

#49

Jul '23

PoolTogether

PoolTogether

22.96 USDC • 1 total finding • Code4rena • neumo

#63

medium

`VaultFactory` allows deployment of vaults with non-authentic `TwabController` and `PrizePool`

Jun '23

GLIF

GLIF

814.75 USDC • Sherlock • neumo

#9

Findings not publicly available for private contests.

May '23

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

329.84 USDC • 3 total findings • Sherlock • neumo

#5

high

Lack of access control in mintRebalancer allows uncontrolled minting of USSD

high

StableOracleWBTC - price feed used is for ETH - USD

medium

If collateral factor is high enough, flutter ends up being out of bounds

Apr '23

Notional Update #3

Notional Update #3

5,716.91 USDC • Sherlock • neumo

gold

Findings not publicly available for private contests.

Caviar Private Pools

Caviar Private Pools

72.64 USDC • 1 total finding • Code4rena • neumo

#50

medium

Incorrect protocol fee is taken when changing NFTs

Mar '23

Asymmetry contest

Asymmetry contest

79.44 USDC • 2 total findings • Code4rena • neumo

#63

medium

Division before multiplication truncate minOut and incurs heavy precision loss and result in insufficient slippage protection

medium

Residual ETH unreachable and unuitilized in SafEth.sol

Feb '23

Syndr

Syndr

2,510.73 USDC • Sherlock • neumo

silver

Findings not publicly available for private contests.

Volta

Volta

428.87 USDC • Sherlock • neumo

#8

Findings not publicly available for private contests.

Jan '23

Cooler

Cooler

48.03 USDC • 2 total findings • Sherlock • neumo

#27

high

Borrower can roll the loan an arbitrary number of times, changing the terms of the loan by too much

high

Lender can steal collateral from borrower

Dec '22

GoGoPool contest

GoGoPool contest

21.71 USDC • 1 total finding • Code4rena • neumo

#75

medium

Coding logic of the contract upgrading renders upgrading contracts impractical

Forgeries contest

Forgeries contest

19.22 USDC • 1 total finding • Code4rena • neumo

#25

high

Admin does not have to wait to call `lastResortTimelockOwnerClaimNFT()`

prePO contest

prePO contest

28.12 USDC • Code4rena • neumo

#31

Escher contest

Escher contest

29.2 USDC • 2 total findings • Code4rena • neumo

#63

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

medium

Sale contracts can be bricked if any other minter mints a token with an id that overlaps the sale

Nov '22

Isomorph

Isomorph

255.81 USDC • 2 total findings • Sherlock • neumo

#17

high

Lack of access control in withdrawFromGauge allows any user to steal collateral

medium

Time delay for RoleControl in isoUSDToken contract has a wrong value

Bull v Bear

Bull v Bear

400.01 USDC • 2 total findings • Sherlock • neumo

#8

high

Reentrancy in withdrawToken could lead to funds drained

high

Malicious bull can match order multiple times

FrankenDAO

FrankenDAO

551.15 USDC • 3 total findings • Sherlock • neumo

#9

high

User can get much more voting power than he/she should

medium

When a proposal is passed proposalsCreated is incremented instead of proposalsPassed

medium

Veto function should decrease proposalsPassed (and possibly proposalsCreated)

SIZE contest

SIZE contest

213.4 USDC • 1 total finding • Code4rena • neumo

#16

medium

Denial of service when `baseAmount` is equal to zero

Oct '22

Inverse Finance contest

Inverse Finance contest

506.82 USDC • 2 total findings • Code4rena • neumo

#17

medium

Avoidable misconfiguration could lead to INVEscrow contract not minting xINV tokens

medium

Oracle assumes token and feed decimals will be limited to 18 decimals

Illuminate

Illuminate

967.01 USDC • 3 total findings • Sherlock • neumo

#11

high

Converter is not approved to spend Redeemer's tokens for the case of Sense

medium

setPrincipal fails to approve Notional contract to spend lender's underlying tokens

medium

Users can loose their Illuminate tokens if amount to redeem is greater than holdings[u][m]

Trader Joe v2 contest

Trader Joe v2 contest

1.3 USDC • 1 total finding • Code4rena • neumo

#26

high

Transfering funds to yourself increases your balance

Sep '22

VTVL contest

VTVL contest

408.52 USDC • 2 total findings • Code4rena • neumo

#16

high

Permanent freeze of vested tokens due to overflow in _baseVestedAmount

medium

Supply cap of VariableSupplyERC20Token is not properly enforced

Nouns Builder contest

Nouns Builder contest

66.38 USDC • 1 total finding • Code4rena • neumo

#93

medium

Founders can receive less tokens that expected

Aug '22

FIAT DAO veFDT contest

FIAT DAO veFDT contest

29.89 USDC • Code4rena • neumo

#66

Rigor Protocol contest

Rigor Protocol contest

137.42 USDC • 1 total finding • Code4rena • neumo

#39

high

Project funds can be drained by reusing signatures, in some cases

Jul '22

Golom contest

Golom contest

26.77 USDC • Code4rena • neumo

#87

Fractional v2 contest

Fractional v2 contest

194.14 USDC • 1 total finding • Code4rena • neumo

#49

medium

A VAULT OWNER CAN BE ALSO THE CONTROLLER AND ARBITRARILY SET THE SECONDARY MARKET ROYALTIES

Jun '22

Yieldy contest

Yieldy contest

119.25 USDC • 1 total finding • Code4rena • neumo

#40

medium

Functions in the `BatchRequests` contract revert for removed contract addresses