Security Researcher
Elite smart contract security researcher, part of the two-person team Egis Security Experience auditing EVM, SVM, Cairo and Cosmos SDK
High
Solo
Total
Medium
Solo
Total
Total Earnings
#66 All Time
Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Code4rena
CodeHawks
Hats Finance
Jul '25
Jun '25
high
Users can steal funds meant for refunds through `_doMixSwap`
high
Users can steal funds meant for refunds using a `decoded.targetZRC20`
high
Anyone can steal a refund from Solana
medium
Zeta Chain contracts doesn't check source sender, which results in compromised instructions
medium
`GatewayTransferNative::onCall` don't decrease `amount` when platform fee is deducted
medium
Revert transaction from BTC will refund funds to a random address
medium
`AccountEncoder::decompressAccounts` does not decode `isWritable` correctly
medium
GatewayTransferNative::withdraw - The function is public and can be called by anyone
medium
`_existsPairPool` has flawed design, which allows for an attacker to control
medium
`_swapAndSendERC20Tokens` has no slippage protection
Feb '25
Findings not publicly available for private contests.
Dec '24
high
borrowing::liquidate - `lastEventTime` isn't updated after `calculateCumulativeRate` is called
high
`GlobalVariables` may be compromised, if there are concurrent in-flight messages
medium
borrowing::depositTokens - `calculateCumulativeRate` is called after borrower has been added
medium
borrowing::_withdraw - `lastEventTime` is updated before calling `calculateCumulativeRate`
Nov '24
high
Attackers can force the rewards to be stuck in the contract with malicious `x/tokenfactory` denoms
high
Logical error in `validate_fees_are_paid` can cause a DoS or allow users to bypass fees if `denom_creation_fee` includes multiple coins including `pool_creation_fee` and the user attempts to pay all fees using only `pool_creation_fee`
medium
When a user single-side deposit into a pool, slippage protection is invalid
medium
`withdraw_liquidity` lacks slippage protection
medium
Single sided liquidity can't be used to lock LP tokens in the farm manager
medium
Penalty fees can be shared among future farms or expired farms, risks of exploits
Aug '24
high
Exploiter can always bypass `LIQUIDATION_DISCOUNT` and always seize all collateral
medium
Exploiter can force user into unhealthy condition and liquidate him
medium
SuperPoolFactory
medium
Under certain circumstances bad debt will cause first depositor to lose funds
medium
Pool::liquidate()
medium
`SuperPool` has a `togglePause` function, but lack `whenNotPaused` modifier
medium
Liquidators won't have incentive to repay positions under some conditions
medium
`SuperPool#convertToShares` violates ERC4626
medium
Use can grief `SuperPool#reallocate` for USDT because it doesn't use `forceApprove`
Jul '24
Jun '24
May '24
medium
Insufficient input validation on `SablierV2NFTDescriptor::safeAssetSymbol` allows an attacker to obtain stored XSS
medium
The overflow in the `_calculateStreamedAmount` function can lead to unexpected results.
medium
`SablierV2Lockup.sol` - The caller of withdraw and renounce can skip callbacks, by sending less gas
medium
Use of CREATE method is suspicious of reorg attack
Apr '24
high
`LenderCommitmentGroup_Smart.sol::burnSharesToWithdrawEarnings` steal previous depositors funds
high
TellerV2.sol
high
LenderCommitmentGroup_Smart.sol#liquidateDefaultedLoanWithIncentive()
high
LenderCommitmentGroup_Smart.sol
high
LenderCommitmentGroup_Smart.sol
high
LenderCommitmentGroup_Smart.sol#getCollateralRequiredForPrincipalAmount()
high
If `repayLoanCallback` address doesn't implement `repayLoanCallback` try/catch won't go into the catch and will revert the tx
high
Unchecked `transferFrom` value may lead to borrower falsy repaying loan
high
`LendderCommitmentGroup::_calculateCollateralTokensAmountEq` may be manipulated
high
LenderCommitmentGroup_Smart.sol#liquidateDefaultedLoanWithIncentive()
medium
User can easily DoS `FlashRolloverLoan_G5` for USDT loans
medium
__Ownable_init is missing in LenderCommitmentGroup_Smart and TellerV2
medium
TellerV2.sol#lenderAcceptBid()
medium
`FlashRolloverLoan_G5::_acceptCommitment` with `smartCommitmentAddress` uses wrong signature
medium
LenderCommitmentGroup_Smart.sol#_generateTokenNameAndSymbol()
medium
LenderCommitmentGroup_Smart.sol#__valueOfUnderlying()
high
Inability to perform partial liquidations allows huge positions to accrue bad debt in the system
high
Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine
high
Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply
high
User can get their Kerosene stuck because of an invalid check on withdraw
high
Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults
medium
`VaultManagerV2.sol::burnDyad` function is missing an `isDNftOwner` modifier, allowing a user to burn another user's minted DYAD
medium
Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position
medium
No incentive to liquidate small positions could result in protocol going underwater
medium
Value of kerosene can be manipulated to force liquidate users
medium
Incorrect deployment / missing contract will break functionality
Mar '24
Feb '24
Jan '24
high
When `DecentBridgeExecutor.execute` fails, funds will be sent to a random address
high
Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.
medium
DecentEthRouter.sol#_bridgeWithPayload() - Any refunded ETH (native token) will be refunded to the DecentBridgeAdapter, making them stuck
medium
Users can use the protocol freely without paying any fees by calling the `DecentEthRouter::bridgeWithPayload()` function directly.
high
Attack to make ````CurveSubject```` to be a ````HoneyPot````
high
Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`
high
Unauthorized Access to setCurves Function
medium
A subject creator within a single block can claim holder fees without holding due to unprotected reentrancy path
medium
onBalanceChange causes previously unclaimed rewards to be cleared
medium
If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete
Dec '23
high
Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds
medium
Wrong Implementation of `LiquidationPool::empty` excludes holder with pending stakes when decreasing a position, resulting in exclusion from asset distribution
low
Removal of approved token from token manager can lead to unintended liquidation of vaults
medium
Once EntropyRateBps is set too high, can lead to denial-of-service (DoS) due to an invalid ETH amount
medium
Since art pieces' size is not limited, attacker may block AuctionHouse from creating and settling auctions
medium
MaxHeap.sol: Already extracted tokenId may be extracted again.
medium
It may be possible to DoS AuctionHouse by specifying malicious creators
Nov '23
Collaborative Audit • Sherlock • EgisSecurity
1.37 USDC • 1 total finding • Code4rena • nmirchev8
#31
Oct '23
medium
`emergencyPause` does not check the state before running && can cause loss of funds for users
medium
Invariant violation (funds could remain in the vault and a depositor could benefit from it)
medium
Emergency Closed Vault Can Be Paused Then Resume
low
Consider erasing cache after completing deposit/withdraw/rebalance/compound operations
Sep '23
Aug '23
high
The same signature can be used in different `distribution` implementation causing that the caller who owns the signature, can distribute on unauthorized implementations
medium
The `digest` calculation in `deployProxyAndDistributeBySignature` does not follow EIP-712 specification
low
Potential DOS due to Gas Exhaustion Due to Large Array Iteration in `_distribute` Function
low
Insufficient validation leads to locking up prize tokens forever
Jul '23
4.72 USDC • 6 total findings • CodeHawks • nmirchev8
#94
medium
Chainlink oracle will return the wrong price if the aggregator hits `minAnswer`
medium
All of the USD pair price feeds doesn't have 8 decimals
low
Improving the burnDsc() to allow users to mitigate their liquidation's impact
low
Zero address check for tokens
gas
`++i`/`i++` should be `unchecked{++i}`/`unchecked{i++}` when it is not possible for them to overflow, as is the case when used in `for`- and `while`-loops
gas
No amountCollateral > balance check