Banner
https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/20feedee-2865-404d-b788-1be1d7d6ea50.jpg

nobody2018

Security Researcher

security researcher | discord ID: nobody2018#4605

Contact Me

High

53

Total

Medium

3

Solo

53

Total

$66.86K

Total Earnings

#124 All Time

45x

Payouts

silver

2x

2nd Places

bronze

2x

3rd Places

regular

28x

Top 10

All

Sherlock

Code4rena

Mar '24

vVv Vesting & Staking

vVv Vesting & Staking

380.82 USDC • Sherlock • nobody2018

#10

Jan '24

Olympus On-Chain Governance

Olympus On-Chain Governance

139.35 USDC • 1 total finding • Sherlock • nobody2018

#7

medium

Nobody can cast for any proposal

Covalent

Covalent

160.91 USDC • 1 total finding • Sherlock • nobody2018

#11

medium

setValidatorAddress may never be successfully executed in some cases

Flat Money

Flat Money

3,800.01 USDC • 8 total findings • Sherlock • nobody2018

bronze

high

LiquidationModule.liquidate updates global position data with stale price

high

The updatePythPrice modifier should add an empty array check

high

The owner of any position can close the position with the minimum tradeFee regardless of the additionalSize of the position

high

LimitOrder.cancelLimitOrder can be used to unlock position with LeverageClose order

high

LeverageModule.executeOpen doesn't apply Check-Effect-Interaction pattern

medium

Malicious users can obtain large amounts of FMP at a small cost

medium

In LeverageModule.executeOpen/executeAdjust, vault.checkSkewMax should be called after updating the global position data

medium

If the oracle from Pyth is down, OracleModule._getPrice will always revert

Decent

Decent

118.46 USDC • 1 total finding • Code4rena • nobody2018

#35

high

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

LooksRare YOLO

LooksRare YOLO

17.38 USDC • 1 total finding • Sherlock • nobody2018

#7

high

round.deposits may have duplicate currentEntryIndex

Truflation

Truflation

255.72 USDC • 1 total finding • Sherlock • nobody2018

#6

medium

VestingInfo.period causes the logic of the two functions to be inconsistent

SYMM IO

SYMM IO

322.37 USDC • Sherlock • nobody2018

#6

Dec '23

Olympus RBS 2.0

Olympus RBS 2.0

4,031.66 USDC • 1 total finding • Sherlock • nobody2018

#4

high

When asset.useMovingAverage is true, _getCurrentPrice may get stale price in some cases

Oct '23

Badger eBTC Audit + Certora Formal Verification Competition

Badger eBTC Audit + Certora Formal Verification Competition

2,964.08 USDC • 1 total finding • Code4rena • nobody2018

#9

medium

When calling LeverageMacroBase.doOperation to open a CDP, the POST CALL CHECK may use the wrong cdpId

The Wildcat Protocol

The Wildcat Protocol

29.96 USDC • 2 total findings • Code4rena • nobody2018

#52

high

Lenders can escape the blacklisting of their accounts because they can move their MarketTokens to different accounts and gain the WithdrawOnly Role on any account they want

high

Borrower can drain all funds of a sanctioned lender

Sep '23

Venus Prime

Venus Prime

4.37 USDC • Code4rena • nobody2018

#39

Maia DAO - Ulysses

Maia DAO - Ulysses

7,014.85 USDC • 5 total findings • Code4rena • nobody2018

bronze

high

All tokens can be stolen from `VirtualAccount` due to missing access modifier

medium

Incorrect flag results to _hasFallbackToggled always set to false on createMultipleSettlement.

medium

If RootBridgeAgent.lzReceiveNonBlocking reverts internally, the native token sent by relayer to RootBridgeAgent is left in RootBridgeAgent

medium

BaseBranchRouter._transferAndApproveToken may revert in some cases

medium

When using BaseBranchRouter as a router on the 'Arbitrum' branch, we are unable to invoke the 'callOutAndBridge' function.

Allo V2

Allo V2

770.03 USDC • 7 total findings • Sherlock • nobody2018

#5

high

In DonationVotingMerkleDistributionBaseStrategy._registerRecipient, the status returned by _getUintRecipientStatus(recipientId) is always the status of the first recipient

high

allocator.voiceCredits is never accumulated throughout the QVSimpleStrategy._allocate flow

medium

Funds may be stuck in QVSimpleStrategy in some cases

medium

Allocator can significantly increase the number of votes of a certain recipient by calling Allo.allocate/batchAllocate multiple times

medium

The protocol cannot use transfer-on-fee token as pool.token

medium

RFPSimpleStrategy._distribute will revert in most cases

medium

If RFPSimpleStrategy wants to use the registry anchor, _registerRecipient will always revert

Centrifuge

Centrifuge

870.1 USDC • 1 total finding • Code4rena • nobody2018

#15

medium

onlyCentrifugeChainOrigin() can't require msg.sender equal axelarGateway

Aug '23

Symmetrical Update

Symmetrical Update

838.80 USDC • 1 total finding • Sherlock • nobody2018

#4

medium

PartyBFacetImpl.chargeFundingRate should check whether quoteIds is empty array to prevent partyANonces from being increased, causing some operations of partyA to fail

Chainlink Staking v0.2

Chainlink Staking v0.2

2,992.97 USDC • Code4rena • nobody2018

#18

Dopex

Dopex

17.47 USDC • 3 total findings • Code4rena • nobody2018

#110

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

high

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

Blueberry Update #3

Blueberry Update #3

604.81 USDC • 3 total findings • Sherlock • nobody2018

#5

medium

ConvexSpell/CurveSpell.openPositionFarm will revert in some cases

medium

IBalancerVault.exitPool lacks slippage protection in AuraSpell.closePositionFarm

medium

AuraSpell.openPositionFarm will revert in some cases

Arbitrum Security Council Election System

Arbitrum Security Council Election System

36.16 USDC • Code4rena • nobody2018

#20

Tangible Caviar

Tangible Caviar

496.56 USDC • Code4rena • nobody2018

#25

Jul '23

Tokemak

Tokemak

2,618.70 USDC • 7 total findings • Sherlock • nobody2018

#9

high

All rewardTokens may be stuck in BalancerAuraDestinationVault/CurveConvexDestinationVault

high

LiquidationRow._performLiquidation should delegatecall IAsyncSwapper.swap

high

LMPVaultRouterBase.mint/deposit will make the user's weth be stolen in some cases

high

IncentivePricingStats.updatePricingInfo updates fast/slow filters with the wrong average price

high

LMPVault._withdraw may cause some idleIncrease to be ignored, causing _baseAsset to get stuck in LMPVault

medium

ConvexRewardsAdapter._claimRewards will revert in some cases

medium

When DestinationVault is at loss, LMPVault._withdraw may revert in some cases due to underflow

Axelar Network

Axelar Network

11,945.25 USDC • 4 total findings • Code4rena • nobody2018

silver

high

ERC777 and similar token implementations allow stealing of funds when transferring tokens

high

`expressReceiveToken` can be abused using reentry

medium

Proposal requiring native coin transfers cannot be executed

medium

`TokenManager`'s flow limit logic is broken for `ERC777` tokens

Chainlink Cross-Chain Contract Administration: Multi-signature Contract, Timelock and Call Proxies

Chainlink Cross-Chain Contract Administration: Multi-signature Contract, Timelock and Call Proxies

677.54 USDC • Code4rena • nobody2018

#5

Jun '23

Symmetrical

Symmetrical

2,446.05 USDC • 7 total findings • Sherlock • nobody2018

#7

high

In specific case, PartyB that should not be liquidated is liquidated due to wrong allocation in AccountFacet.depositAndAllocateForPartyB

high

Malicious PartyA/PartyB can prevent themselves from being liquidated

medium

LiquidationFacetImpl.liquidatePartyB should call returnTradingFee to return the trading fee to PartyA when processing the quote whose status is LOCKED/CANCEL_PENDING

medium

When symbol manager modifies the tradingFee of a certain symbol via ControlFacet.setSymbolTradingFee, the value returned by LibQuote.returnTradingFee is not the original fee

medium

PartyBFacetImpl.lockQuote doesn't actually increment partyBNonces[partyB][partyA] by 1

medium

Quote that have already been liquidated can be liquidated again in some cases

medium

PartyA can front-run PartyBFacetImpl.emergencyClosePosition to prevent PartyB from closing position

May '23

Chainlink Cross-Chain Services: CCIP and ARM Network

Chainlink Cross-Chain Services: CCIP and ARM Network

5,005.18 USDC • Code4rena • nobody2018

#9

Eco Protocol

Eco Protocol

565.83 USDC • 1 total finding • Sherlock • nobody2018

#4

high

l1Eco.notifyGenerationIncrease and L1ECOBridge.rebase should be called in the same tx

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

270.72 USDC • 8 total findings • Sherlock • nobody2018

#6

high

StableOracleDAI/StableOracleWBGL.getPriceUSD will never succeed due to wrong DAIEthOracle/staticOracleUniV3

high

StableOracleDAI.getPriceUSD incorrectly uses the price returned by priceFeedDAIETH.latestRoundData()

high

USSDRebalancer.SellUSSDBuyCollateral will revert in certain case

high

USSD.UniV3SwapInput executes uniRouter.exactInput without slippage protection

high

Attacker can manipulate the return value of USSDRebalancer.getOwnValuation for profit

high

USSD.mintRebalancer/burnRebalancer lacks onlyBalancer modifier

high

Malicious user transfers USSD or DAI to uniPool to affect the return value of USSDRebalancer.getSupplyProportion

medium

StableOracleDAI/StableOracleWETH/StableOracleWBTC.getPriceUSD possible use stale price

DODO Margin Trading

DODO Margin Trading

75.64 USDC • 1 total finding • Sherlock • nobody2018

#8

high

Attacker can steal all erc20 in MarginTrading

Blueberry Update #2

Blueberry Update #2

5,240.80 USDC • 2 total findings • Sherlock • nobody2018

silver

high

Anyone can take away the reward tokens left by users when updating position via ConvexSpell#openPositionFarm

medium

BalancerPairOracle#getPrice will revert due to division by zero in some cases

Ajna Protocol

Ajna Protocol

2,817.83 USDC • 3 total findings • Code4rena • nobody2018

#4

high

Delegation rewards are not counted toward granting fund

high

PositionManager's moveLiquidity can set wrong deposit time and permanently freeze LP funds moved

medium

StandardFunding.fundingVote should not allow users who didn't vote in screening stage to vote

Apr '23

Blueberry Update

Blueberry Update

277.29 USDC • 4 total findings • Sherlock • nobody2018

#10

high

spell#closePositionFarm executes swapExactTokensForTokens without slippage protection

medium

Liquidation will fail in certain scenario

medium

CurveSpell#openPositionFarm will always revert

medium

AuraSpell#openPositionFarm will not succeed for new users

JOJO Exchange

JOJO Exchange

185.38 USDC • 1 total finding • Sherlock • nobody2018

#37

medium

Subaccount#execute lacks payable

Splits

Splits

403.54 USDC • 1 total finding • Sherlock • nobody2018

#7

medium

If the contract that calls SwapperImpl.flash uses verifyCallback in the SwapperCallbackValidation library to verify msg.sender, it will cause a heavy funds loss

ENS Contest

ENS Contest

2,361.87 USDC • 2 total findings • Code4rena • nobody2018

#8

medium

Unintentionally register a non-relevant DSN name owner

medium

Incorrect implementation of RecordParser.readKeyValue()

Teller

Teller

299.20 USDC • 3 total findings • Sherlock • nobody2018

#21

high

CollateralManager.commitCollateral can not only block lender to accept any loan bids, but also make all collaterals of all loans stuck in the contract forever

medium

updateCommitmentBorrowers does not delete all existing users

medium

If the collateral is a fee-on-transfer token, repayment will be blocked

Frankencoin

Frankencoin

264.53 USDC • 4 total findings • Code4rena • nobody2018

#29

high

CHALLENGER_REWARD can be used to drain reserves and free mint

high

Challenges can be frontrun with de-leveraging to cause lossses for challengers

medium

POSITION LIMIT COULD BE FULLY REDUCED TO ZERO BY CLONES

medium

function `restructureCapTable()` in Equity.sol not functioning as expected

Caviar Private Pools

Caviar Private Pools

26.76 USDC • 1 total finding • Code4rena • nobody2018

#62

high

PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution

Rubicon v2

Rubicon v2

564.4 USDC • 5 total findings • Code4rena • nobody2018

#25

high

RubiconMarket batchOffer and batchRequote make offers as self; complete loss of funds for some types of tokens, for example WETH

high

Reward accounting is incorrect in BathBuddy contract

high

An attacker can steal all tokens of users that use `FeeWrapper`

medium

Fee inclusivity calculations are inaccurate in RubiconMarket

medium

Both buyAllAmountWithLeverage and sellAllAmountWithLeverage always revert

Mar '23

Gitcoin

Gitcoin

491.53 USDC • Sherlock • nobody2018

#6

Y2K

Y2K

2,294.73 USDC • 6 total findings • Sherlock • nobody2018

#6

high

relayer can never successfully execute mintDepositInQueue and mintRollovers due to ERC1155's _doSafeTransferAcceptanceCheck

high

Due to rolloverQueue.pop(), mintRollovers may skip some users' QueueItem

high

If users won epoch he is rolling over, mintRollovers will cause these users  to lose funds

medium

triggerDepeg and triggerEndEpoch will revert when the treasury of ControllerPeggedAssetV2 is different from the treasury of the new VaultV2

medium

Malicious user can make rolloverQueue never get processed

medium

ChangeTreasury does not correctly set the new treasury address and does not remove the old treasury address from whitelist

Neo Tokyo contest

Neo Tokyo contest

154.74 USDC • 1 total finding • Code4rena • nobody2018

#18

high

Underflow of `lpPosition.points` during withdrawLP causes huge reward minting

Taurus

Taurus

30.89 USDC • 1 total finding • Sherlock • nobody2018

#12

medium

The currentMinted of vault will not decrease when the user repays TAU

Feb '23

Derby

Derby

1,535.43 USDC • 5 total findings • Sherlock • nobody2018

#8

high

Attacker uses flashloan for arbitrage resulting in user interest loss

high

Attacker can prevent the system from entering step 5 during the rebalancing period

medium

User fund loss when rebalancingPeriod is not initialized

medium

Game users may lose this round of rewards if they call rebalanceBasket before the end of step 8

medium

At step 5 attacker can prevent xChainController from sending funds to vaults

OlympusDAO

OlympusDAO

444.62 USDC • 2 total findings • Sherlock • nobody2018

#17

high

Issue: user can still get same rewards after withdraw

high

Issue : User's rewards will be locked for a period of time