https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/4bd60c3f-31f5-4cc0-b20b-cb21123f6b5f.jpg

nmirchev8

Security Researcher

Elite smart contract security researcher, part of the two-person team Egis Security Experience auditing EVM, SVM, Cairo and Cosmos SDK

Contact Me

High

2

Solo

42

Total

Medium

2

Solo

71

Total

$142.01K

Total Earnings

#66 All Time

40x

Payouts

gold

8x

1st Places

silver

1x

2nd Places

bronze

3x

3rd Places

All

Sherlock

Code4rena

CodeHawks

Hats Finance

Jul '25

Allbridge Core Yield

Allbridge Core Yield

6,199.73 USDC • 2 total findings • Sherlock • EgisSecurity

gold

medium

PortfolioToken::deposit is vulnerable to reverse LP sandwich attacks

medium

First depositor can inflate the real amounts

Jun '25

DODO Cross-Chain DEX

DODO Cross-Chain DEX

13,140.59 USDC • 10 total findings • Sherlock • EgisSecurity

#8

high

Users can steal funds meant for refunds through `_doMixSwap`

high

Users can steal funds meant for refunds using a `decoded.targetZRC20`

high

Anyone can steal a refund from Solana

medium

Zeta Chain contracts doesn't check source sender, which results in compromised instructions

medium

`GatewayTransferNative::onCall` don't decrease `amount` when platform fee is deducted

medium

Revert transaction from BTC will refund funds to a random address

medium

`AccountEncoder::decompressAccounts` does not decode `isWritable` correctly

medium

GatewayTransferNative::withdraw - The function is public and can be called by anyone

medium

`_existsPairPool` has flawed design, which allows for an attacker to control

medium

`_swapAndSendERC20Tokens` has no slippage protection

Feb '25

Stealth

Stealth

37,000 USDC • Sherlock • EgisSecurity

gold

Findings not publicly available for private contests.

Dec '24

Autonomint Colored Dollar V1

Autonomint Colored Dollar V1

95.75 OP • 4 total findings • Sherlock • EgisSecurity

#23

high

borrowing::liquidate - `lastEventTime` isn't updated after `calculateCumulativeRate` is called

high

`GlobalVariables` may be compromised, if there are concurrent in-flight messages

medium

borrowing::depositTokens - `calculateCumulativeRate` is called after borrower has been added

medium

borrowing::_withdraw - `lastEventTime` is updated before calling `calculateCumulativeRate`

Nov '24

MANTRA DEX

MANTRA DEX

898.2 USDC • 6 total findings • Code4rena • Egis_Security

#12

high

Attackers can force the rewards to be stuck in the contract with malicious `x/tokenfactory` denoms

high

Logical error in `validate_fees_are_paid` can cause a DoS or allow users to bypass fees if `denom_creation_fee` includes multiple coins including `pool_creation_fee` and the user attempts to pay all fees using only `pool_creation_fee`

medium

When a user single-side deposit into a pool, slippage protection is invalid

medium

`withdraw_liquidity` lacks slippage protection

medium

Single sided liquidity can't be used to lock LP tokens in the farm manager

medium

Penalty fees can be shared among future farms or expired farms, risks of exploits

MANTRA Chain

MANTRA Chain

1,890.14 USDC • 3 total findings • Code4rena • Egis_Security

#5

high

Unspent gas fees are always refunded to the `FeePayer()` which leads to incorrect refunds if the `FeeGranter()` paid for the fees

high

Potentially sensitive issue - disclosed privately

medium

`xfeemarket` module is not wired up, resulting in non-working CLI commands, message server, genesis export

Concrete

Concrete

76.17 USDC • Code4rena • Egis_Security

#68

Aug '24

ZeroLend One

ZeroLend One

12.11 USDC • 1 total finding • Sherlock • EgisSecurity

#43

medium

Positions, which are using assets with large heartbeat may accrue bad debt

Sentiment V2

Sentiment V2

1,153.21 USDC • 9 total findings • Sherlock • EgisSecurity

#10

high

Exploiter can always bypass `LIQUIDATION_DISCOUNT` and always seize all collateral

medium

Exploiter can force user into unhealthy condition and liquidate him

medium

SuperPoolFactory

medium

Under certain circumstances bad debt will cause first depositor to lose funds

medium

Pool::liquidate()

medium

`SuperPool` has a `togglePause` function, but lack `whenNotPaused` modifier

medium

Liquidators won't have incentive to repay positions under some conditions

medium

`SuperPool#convertToShares` violates ERC4626

medium

Use can grief `SuperPool#reallocate` for USDT because it doesn't use `forceApprove`

Jul '24

Basin

Basin

19,171.68 USDC • 3 total findings • Code4rena • Egis_Security

gold

high

`WellUpgradeable` can be upgraded by anyone

medium

Stable2LUT1::getRatiosFromPriceLiquidity - In extreme cases, `updateReserve` will start breaking

medium

For extreme ratios getRatiosFromPriceSwap will return data for which is impossible to converge into a reserve

CCIP v1.5

CCIP v1.5

12,254.76 USDC • CodeHawks • EgisSecurity

silver

Jun '24

Palmera

Palmera

1,600 USDC • 2 total findings • Hats • EgisSecurity

bronze

high

Malicious users can front-run host users safe management actions and add those safes as root for wrong org

medium

Safe owner/s can prevent being removed from organization by indefinitely increasing their child array

Inverter Network

Inverter Network

16,200 UMA • Hats • nmirchev8

gold

May '24

Sophon Farming Contracts

Sophon Farming Contracts

2,985.94 USDC • 3 total findings • Sherlock • EgisSecurity

gold

high

Many cases `stEth::transferFrom` will transfer 1-2 less way, which would result in revert in consequent functions, because of not enough balance

high

Loss of funds when deposit flow uses `_ethTOeEth`, because deposit amount is not handled correctly

medium

SophonFarming.sol

Gamma - Locked Staking Contract

Gamma - Locked Staking Contract

133.81 USDC • 1 total finding • Sherlock • EgisSecurity

bronze

medium

Malicious actor can use block stuffing to force staker into another cycle

Sablier

Sablier

11,001.90 USDC • 4 total findings • CodeHawks • EgisSecurity

gold

medium

Insufficient input validation on `SablierV2NFTDescriptor::safeAssetSymbol` allows an attacker to obtain stored XSS

medium

The overflow in the `_calculateStreamedAmount` function can lead to unexpected results.

medium

`SablierV2Lockup.sol` - The caller of withdraw and renounce can skip callbacks, by sending less gas

medium

Use of CREATE method is suspicious of reorg attack

Convergence - Convex integration

Convergence - Convex integration

4,500 USDC • 2 total findings • Hats • nmirchev8

gold

medium

User looses StakeDao rewards, if he misses to call `claimCvgCvxRewards` for cycle

low

`CvxConvergenceLocker::sentTokens` doesn't protect from newly added reward tokens

Apr '24

Teller Finance

Teller Finance

3,871.54 USDC • 16 total findings • Sherlock • EgisSecurity

gold

high

`LenderCommitmentGroup_Smart.sol::burnSharesToWithdrawEarnings` steal previous depositors funds

high

TellerV2.sol

high

LenderCommitmentGroup_Smart.sol#liquidateDefaultedLoanWithIncentive()

high

LenderCommitmentGroup_Smart.sol

high

LenderCommitmentGroup_Smart.sol

high

LenderCommitmentGroup_Smart.sol#getCollateralRequiredForPrincipalAmount()

high

If `repayLoanCallback` address doesn't implement `repayLoanCallback` try/catch won't go into the catch and will revert the tx

high

Unchecked `transferFrom` value may lead to borrower falsy repaying loan

high

`LendderCommitmentGroup::_calculateCollateralTokensAmountEq` may be manipulated

high

LenderCommitmentGroup_Smart.sol#liquidateDefaultedLoanWithIncentive()

medium

User can easily DoS `FlashRolloverLoan_G5` for USDT loans

medium

__Ownable_init is missing in LenderCommitmentGroup_Smart and TellerV2

medium

TellerV2.sol#lenderAcceptBid()

medium

`FlashRolloverLoan_G5::_acceptCommitment` with `smartCommitmentAddress` uses wrong signature

medium

LenderCommitmentGroup_Smart.sol#_generateTokenNameAndSymbol()

medium

LenderCommitmentGroup_Smart.sol#__valueOfUnderlying()

DYAD

DYAD

485.93 USDC • 10 total findings • Code4rena • Egis_Security

#20

high

Inability to perform partial liquidations allows huge positions to accrue bad debt in the system

high

Design flaw and mismanagement in vault licensing leads to double counting in collateral ratios and positions collateralized entirely with kerosine

high

Users can get their Kerosene stuck until TVL becomes greater than Dyad's supply

high

User can get their Kerosene stuck because of an invalid check on withdraw

high

Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults

medium

`VaultManagerV2.sol::burnDyad` function is missing an `isDNftOwner` modifier, allowing a user to burn another user's minted DYAD

medium

Attacker can frontrun to prevent vaults from being removed from the dNFT owner's position

medium

No incentive to liquidate small positions could result in protocol going underwater

medium

Value of kerosene can be manipulated to force liquidate users

medium

Incorrect deployment / missing contract will break functionality

Mar '24

Revert Lend

Revert Lend

20.67 USDC • 2 total findings • Code4rena • nmirchev8

#66

high

Owner of a position can prevent liquidation due to the 'onERC721Received' callback

medium

Repayments and liquidations can be forced to revert by an attacker that repays miniscule amount of shares

Feb '24

Spectra

Spectra

26.86 USDC • 1 total finding • Code4rena • nmirchev8

#21

medium

PrincipalToken is not ERC-5095 compliant

Jan '24

MorpheusAI

MorpheusAI

1,903.49 USDC • 1 total finding • CodeHawks • nmirchev8

#6

high

All claimed rewards will be lost for the users using the account abstraction wallet

Decent

Decent

660.44 USDC • 4 total findings • Code4rena • nmirchev8

#14

high

When `DecentBridgeExecutor.execute` fails, funds will be sent to a random address

high

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

medium

DecentEthRouter.sol#_bridgeWithPayload() - Any refunded ETH (native token) will be refunded to the DecentBridgeAdapter, making them stuck

medium

Users can use the protocol freely without paying any fees by calling the `DecentEthRouter::bridgeWithPayload()` function directly.

Opus

Opus

2,116.86 USDC • Code4rena • nmirchev8

#9

Curves

Curves

192.09 USDC • 6 total findings • Code4rena • nmirchev8

#23

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

medium

A subject creator within a single block can claim holder fees without holding due to unprotected reentrancy path

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

Dec '23

The Standard

The Standard

19.50 USDC • 3 total findings • CodeHawks • nmirchev8

#57

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

medium

Wrong Implementation of `LiquidationPool::empty` excludes holder with pending stakes when decreasing a position, resulting in exclusion from asset distribution

low

Removal of approved token from token manager can lead to unintended liquidation of vaults

Footium Update

Footium Update

4.59 USDC • Sherlock • nmirchev8

#32

Revolution Protocol

Revolution Protocol

453.2 USDC • 4 total findings • Code4rena • nmirchev8

#17

medium

Once EntropyRateBps is set too high, can lead to denial-of-service (DoS) due to an invalid ETH amount

medium

Since art pieces' size is not limited, attacker may block AuctionHouse from creating and settling auctions

medium

MaxHeap.sol: Already extracted tokenId may be extracted again.

medium

It may be possible to DoS AuctionHouse by specifying malicious creators

Nov '23

Wasabi-Solana

Wasabi-Solana

Collaborative Audit • Sherlock • EgisSecurity

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

1.37 USDC • 1 total finding • Code4rena • nmirchev8

#31

medium

No slippage protection for Market functions

Kelp DAO | rsETH

Kelp DAO | rsETH

76.02 USDC • 1 total finding • Code4rena • nmirchev8

#42

medium

Update in strategy will cause wrong issuance of shares

Oct '23

NextGen

NextGen

1.38 USDC • 1 total finding • Code4rena • nmirchev8

#106

high

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

Steadefi

Steadefi

463.98 USDC • 4 total findings • CodeHawks • nmirchev8

#14

medium

`emergencyPause` does not check the state before running && can cause loss of funds for users

medium

Invariant violation (funds could remain in the vault and a depositor could benefit from it)

medium

Emergency Closed Vault Can Be Paused Then Resume

low

Consider erasing cache after completing deposit/withdraw/rebalance/compound operations

Open Dollar

Open Dollar

2,356.66 USDC • 3 total findings • Code4rena • nmirchev8

#5

medium

Collateral could be transferred to an address, which is not `SAFEHandler` managed by the `SAFEManager`

medium

Updating `SafeManager` address in the `Vault721` will disable NFV minting

medium

`ODSafeManager#allowSAFE()` cannot be executed either by the proxy contract or any other address.

ENS

ENS

5.43 USDC • Code4rena • nmirchev8

#20

Sep '23

Maia DAO - Ulysses

Maia DAO - Ulysses

25.68 USDC • Code4rena • nmirchev8

#55

Centrifuge

Centrifuge

132.86 USDC • 1 total finding • Code4rena • nmirchev8

#28

medium

Cached `DOMAIN_SEPARATOR` is incorrect for tranche tokens potentially breaking permit integrations

Aug '23

Cooler Update

Cooler Update

26.24 USDC • 2 total findings • Sherlock • nmirchev8

#16

high

Malicious lender could DoS repay functionallity and always default loans.

medium

Borrower has no choice whether to roll a loan. Lender could propose extreamly large interest rate, which will benefit the lender.

Sparkn

Sparkn

845.64 USDC • 4 total findings • CodeHawks • nmirchev8

bronze

high

The same signature can be used in different `distribution` implementation causing that the caller who owns the signature, can distribute on unauthorized implementations

medium

The `digest` calculation in `deployProxyAndDistributeBySignature` does not follow EIP-712 specification

low

Potential DOS due to Gas Exhaustion Due to Large Array Iteration in `_distribute` Function

low

Insufficient validation leads to locking up prize tokens forever

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

5.05 USDC • 4 total findings • CodeHawks • nmirchev8

#169

high

Tokens with less than 18 decimals allow for draining of funds

high

Using forged/fake lending pools to steal any loan opening for auction

low

Missing Events Emitting

gas

Uncheck Arithmetic where overflow/underflow impossible

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

4.72 USDC • 6 total findings • CodeHawks • nmirchev8

#94

medium

Chainlink oracle will return the wrong price if the aggregator hits `minAnswer`

medium

All of the USD pair price feeds doesn't have 8 decimals

low

Improving the burnDsc() to allow users to mitigate their liquidation's impact

low

Zero address check for tokens

gas

`++i`/`i++` should be `unchecked{++i}`/`unchecked{i++}` when it is not possible for them to overflow, as is the case when used in `for`- and `while`-loops

gas

No amountCollateral > balance check