https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/018ff755-4925-4cce-be46-79adaab866aa.jpg

ni8mare

Security Researcher

Doing my bit towards smart contract security.

Contact Me

High

34

Total

Medium

64

Total

$29.66K

Total Earnings

#284 All Time

40x

Payouts

silver

1x

2nd Places

bronze

2x

3rd Places

regular

9x

Top 10

All

Sherlock

Code4rena

Cantina

CodeHawks

Apr '25

Burve

Burve

45.22 USDC • 1 total finding • Sherlock • ni8mare

#28

high

In `commit` function withdrawals are higher than intended and thus will incur higher fees from underlying vault

Mar '25

Symmio, Staking and Vesting

Symmio, Staking and Vesting

68.35 USDC • 2 total findings • Sherlock • SlayerSecurity

#10

high

The reward per token stored can be prevented from being updated

medium

malicious user can extend the reward duration by calling `notifyRewardAmount`

Feb '25

velvet-v4

velvet-v4

4,647.69 USDC • 5 total findings • Cantina • Slayer-Security-Velvet

#5

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Rova

Rova

0.04 USDC • 1 total finding • Sherlock • SlayerSecurity

bronze

medium

Incorrect accounting of `LaunchToken` with `CurrencyToken` in `updateParticipation`

Core Contracts

Core Contracts

313.86 usdc • 18 total findings • CodeHawks • SlayerSecurity

#73

high

Reward manipulation vulnerability in StabilityPool

high

Users can borrow more assets than they have deposited as collateral

high

NFTs Get Permanently Locked in Stability Pool After Liquidation

high

Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle

high

Boost Miscalculation Leads to Excess Distribution

high

Ownership Parameter Mismatch in LendingPool’s Vault Withdrawal Logic

medium

Gauge reward period can be extended indefinitely

medium

Incorrect utilization rate forces protocol to issue maximum rewards indefinitely

medium

LendingPool deposits do not work with CurveVault due to lack of funds

medium

Using balanceOf Instead of Voting Power

medium

Concurrent Oracle Fulfillments Overwrite House IDs, which leads to Incorrect Pricing

medium

LendingPool.getUserDebt returns outdated value and can lead to liquidation failure

medium

No check for sequencer uptime can lead to Zeno auctions being executed at lower prices or may result in incomplete auctions

medium

Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

medium

Liquidations are enabled when repayments are disabled, causing borrowers to lose funds without a chance to repay

medium

Owner Can Change Vote Results After Voting Ends by Updating Quorum Numbers for New proposals

low

Incorrect Initialization of minBoost in BaseGauge Constructor Breaks Core Contract Functionality

low

Borrow, withdraw, deposit revert due to curve vault not having available liquidity or being paused.

Jan '25

infrared-contracts

infrared-contracts

12,157.11 USDC • 3 total findings • Cantina • Slayer-Security

#6

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Oct '24

Gamma Brevis Rewarder

Gamma Brevis Rewarder

131.06 OP • 1 total finding • Sherlock • ni8mare

bronze

high

Users cannot claim rewards for the whole distribution period.

stakeup-bloomv2

stakeup-bloomv2

50.56 USDC • 2 total findings • Cantina • ni8mare

#70

medium

Finding not yet public.

medium

Finding not yet public.

Sep '24

symbioticfi-core

symbioticfi-core

3,343.91 USDC • 2 total findings • Cantina • WinSec-7672

#7

medium

Finding not yet public.

medium

Finding not yet public.

Aug '24

zetachain-protocol

zetachain-protocol

2,135.59 USDC • 4 total findings • Cantina • WinSec

#17

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Winnables Raffles

Winnables Raffles

1.80 USDC • 1 total finding • Sherlock • ni8mare

#37

high

`_lockedETH` is never decremented on the cancellation of a raffle.

Tadle

Tadle

186.55 USDC • 2 total findings • CodeHawks • ni8mare

#34

high

TokenManager - Unlimited withdraw

medium

`mulDiv()` can round down to 0 in realistic cases, allowing for tax avoidance

May '24

Predy

Predy

479.32 USDC • 5 total findings • Code4rena • WinSec

#17

medium

incorrect price for negative ticks due to lack of rounding down

medium

`updateIRMParams` does not call `applyInterestForToken` before updating `irmParams` which leads to incorrect calculation of interest rate for subsequent trades.

medium

Liquidity manipulation is possible when trading

medium

Vaults can become immune from liquidation by setting `vault.recipient` to a blacklisted quote token address

medium

Chainlink's `latestRoundData` might return stale or incorrect results

Apr '24

NOYA

NOYA

695.95 USDC + NOYA stars • 13 total findings • Code4rena • WinSec

#21

high

`PendleConnector` incorrectly sends the redeemed `PT` tokens to the market instead of the

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

high

Numerous errors when calculating the TVL for the MorphoBlue connector

high

In Dolomite, when opening a borrow position, the holding position in the Registry will never be updated due to the removePosition flag being set to true

medium

LP tokens from Boosted Positions are not included in the TVL calculation of a position held by the MaverickConnector

medium

Withdrawals in AccountManager are prone to DOS attacks.

medium

The total deposit amount limit in `AccountingManager.sol` can be bypassed

medium

Missing calls to `_updateTokenInRegistry` leads to incorrect state of tokens in registry

medium

Incorrect modifier condition

medium

`AccountingManager` contract's `previewDeposit`, `previewMint`, `previewWithdraw`, and `previewRedeem` functions are not compliant with EIP-4626 standard

medium

Extra rewards are not updated in curve connector when harvestConvexRewards is called

medium

Camelot and Aerodrome Connector TVL susceptible to manipulation attack

medium

Using the same heartbeat for multiple price feeds

Mar '24

Ondo Finance

Ondo Finance

72.43 USDC • 1 total finding • Code4rena • ni8mare

#15

medium

The `BURNER` cannot burn tokens from accounts not KYC verified due to the check in `_beforeTokenTransfer`.

vVv Vesting & Staking

vVv Vesting & Staking

13.13 USDC • Sherlock • ni8mare

#33

Feb '24

Perpetual

Perpetual

766.76 USDC • 1 total finding • Sherlock • ni8mare

#10

medium

`deposit` function in `SpotHedgeBaseMaker` and `OracleMaker` is prone to slippage

AI Arena

AI Arena

2.1 USDC • 3 total findings • Code4rena • ni8mare

#156

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

high

Non-transferable `GameItems` can be transferred with `GameItems::safeBatchTransferFrom(...)`

medium

Can mint NFT with the desired attributes by reverting transaction

Jan '24

Flat Money

Flat Money

80.91 USDC • 1 total finding • Sherlock • ni8mare

#17

high

In `settleFundingFees`, `_globalPositions.marginDepositedTotal` can be assigned a wrong value because of improper comparisons.

Avail

Avail

24.97 USDC • Sherlock • ni8mare

#23

Dec '23

The Standard

The Standard

1.47 USDC • 3 total findings • CodeHawks • ni8mare

#84

medium

Missing deadline check allow pending transactions to be maliciously executed

medium

Fees are hardcoded to 3000 in ExactInputSingleParams

low

`costInEuros` calculation will incur precision loss due to division before multiplication

Footium Update

Footium Update

11.91 USDC • Sherlock • ni8mare

#28

Oct '23

Open Dollar

Open Dollar

80.26 USDC • 2 total findings • Code4rena • ni8mare

#39

medium

Test addresses and incorrect interface in code prevent integration with UniswapV3 and Camelot

medium

Decimal Limitation in CamelotRelayer and UniV3Relayer Contract Deployment

Canto Liquidity Mining Protocol

Canto Liquidity Mining Protocol

2,934.85 USDC • 1 total finding • Code4rena • ni8mare

silver

medium

If `dt` is not updated accurately then `timeWeightedWeeklyPositionInRangeConcLiquidity_` might be updated incorrectly.

Aug '23

Cooler Update

Cooler Update

26.24 USDC • 2 total findings • Sherlock • ni8mare

#16

high

Malicious lender can prevent borrowers from repaying their loans.

medium

`rollLoan` function can be called by anyone.

veRWA

veRWA

9.82 USDC • Code4rena • ni8mare

#52

Tangible Caviar

Tangible Caviar

26.58 USDC • Code4rena • ni8mare

#69

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

61.67 USDC • 11 total findings • CodeHawks • ni8mare

#62

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

Token spending by Uniswap router doesn't get approved

high

Hardcoded Router Address May Cause Token Lockup in Non-Standard Networks

medium

The `borrow` and `refinance` functions can be front-run by the pool lender to set high interest rates

medium

No expiration deadline leads to losing a lot of funds

medium

Fixed fee level is used when swap tokens on Uniswap

medium

Pragma non-specification can lead to non-functional / corrupted contract when deployed on Arbitrum

medium

Some ERC20 tokens would revert on zero value fee transfers.

low

Rounding error risk in borrow() function in Lender.sol

gas

Cannot use `_burn` Function in Beedle.sol Contract

gas

Uncheck Arithmetic where overflow/underflow impossible

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

2.02 USDC • 6 total findings • CodeHawks • ni8mare

#112

medium

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

medium

DSC protocol can consume stale price data or cannot operate on some EVM chains

medium

Chainlink oracle will return the wrong price if the aggregator hits `minAnswer`

medium

All of the USD pair price feeds doesn't have 8 decimals

low

Pragma isn't specified correctly which can lead to nonfunction/damaged contract when deployed on Arbitrum

gas

`++i`/`i++` should be `unchecked{++i}`/`unchecked{i++}` when it is not possible for them to overflow, as is the case when used in `for`- and `while`-loops

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

2.47 USDC • 1 total finding • CodeHawks • ni8mare

#94

gas

Contract Can Be Deployed Without Funds.

Tokensoft

Tokensoft

239.82 USDC • 2 total findings • Sherlock • ni8mare

#10

high

IVT tokens can be minted many times by calling `initializeDistributionRecord` several times.

medium

`_setTotal` function in `CrosschainDistributor` will revert

Beam

Beam

10.45 USDC • Sherlock • ni8mare

#43

PoolTogether

PoolTogether

446.12 USDC • 2 total findings • Code4rena • ni8mare

#34

high

`Vault.mintYieldFee` FUNCTION CAN BE CALLED BY ANYONE TO MINT `Vault Shares` TO ANY RECIPIENT ADDRESS

medium

deposit function does not check for the `maxMint` amount.

Jun '23

Hubble Exchange

Hubble Exchange

212.42 USDC • 1 total finding • Sherlock • ni8mare

#25

medium

More checks needed for Chainlink price feed return values

RealWagmi

RealWagmi

126.60 USDC • 1 total finding • Sherlock • ni8mare

#17

high

`getQuoteAtTick` uses `slot0` to calculate prices, which can be manipulated.

May '23

Iron Bank

Iron Bank

0.03 USDC • 2 total findings • Sherlock • ni8mare

#23

medium

Oracle return values are not being checked.

medium

No checks for whether Arbitrum sequencer is down

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

4.78 USDC • 5 total findings • Sherlock • ni8mare

#71

high

`mintRebalancer` and `burnRebalancer` can be called by anyone.

high

No slippage parameter in `UniV3SwapInput` function

high

Wrong addresses are used in Oracle contracts.

high

Using `slot0` to calculate prices can be manipulated.

medium

Chainlink Oracle return values are not being checked.

Juicebox Buyback Delegate

Juicebox Buyback Delegate

16.19 USDC • Code4rena • ni8mare

#18

Footium

Footium

89.85 USDC • 1 total finding • Sherlock • ni8mare

#25

medium

Club owner can mint more players than _maxGenerationId

Mar '23

Y2K

Y2K

138.34 USDC • 1 total finding • Sherlock • ni8mare

#49

medium

Wrong treasury address set in changeTreasury function in VaultFactoryV2 contract