Banner
https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/5b0835fd-d117-4f23-8c5e-bfbeb278b956.jpg

obront

Security Researcher

bug huntooor

Contact Me

High

10

Solo

69

Total

Medium

21

Solo

109

Total

$885.00K

Total Earnings

#7 All Time

36x

Payouts

gold

11x

1st Places

silver

6x

2nd Places

bronze

1x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Dec '24

story-protocol

story-protocol

134,034.26 USDC • 15 total findings • Cantina • zobront

gold

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Sep '24

Thanos L2 Native Token Bridge

Thanos L2 Native Token Bridge

23,500 USDC • 1 total finding • Sherlock • obront

gold

high

L1 contract can evade aliasing, spoofing unowned L2 address

Mar '24

Optimism Fault Proofs

Optimism Fault Proofs

14,869.48 USDC • 2 total findings • Sherlock • obront

#4

medium

Incorrect game type can be proven and finalized due to unsafe cast

medium

Fault game factory can be manipulated to DOS game type using malicious `l2BlockNumber`

Feb '24

curvance

curvance

37,711.42 USDC • 26 total findings • Cantina • zobront

silver

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Jan '24

Blast

Blast

201,484.57 USDC • 14 total findings • Cantina • zobront

gold

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Sep '23

Vyper - Compiler

Vyper - Compiler

48,738.37 USDC • 14 total findings • CodeHawks • obront

silver

high

integer overflow in slice()

medium

Contract interfaces allow nonpayable implementations of payable functions

medium

Slice bounds check can be overflowed to access unrelated data

medium

External calls can overflow return data to return input buffer

low

Builtins that access literal lists cannot be compiled

low

Tuple constants are deleted during folding, breaking compilation

low

Gas cost estimates incorrect due to rounding in `calc_mem_gas()`

low

Incorrect gas estimate for BALANCE opcode

low

SHA256 built-in will return input value on chains without SHA256 precompile

low

Fang optimization options broken

low

`_bytes_to_num()` skips `ensure_in_memory()` check, which can lead to compilation failure

low

Built-in `shift()` function will fail if passed a negative integer at compile time

low

Compiled opcodes will return wrong values for PUSH instructions due to incorrect padding

low

Wrong denominations included in reserved keywords

Apr '23

Splits

Splits

16,587.77 USDC • 5 total findings • Sherlock • obront

gold

medium

Oracle tick rounding the wrong direction can lead to Swapper overpaying for swap

medium

Tokens without UniV3 pairs with `tokenToBeneficiary` can be stolen by an attacker

medium

WalletImpl cannot receive NFTs as intended

medium

Swapper mechanism cannot incentivize ETH-WETH swaps without risking owner funds

medium

SwapperCallbackValidation doesn't do anything, opens up users to having contracts drained

Mar '23

Optimism Update

Optimism Update

75,228.64 USDC • 2 total findings • Sherlock • obront

silver

high

All migrated withdrarwals that require more than 135,175 gas may be bricked

medium

CrossDomainMessenger does not successfully guarantee replayability, can lose user funds

Feb '23

Hats

Hats

17,127.58 USDC • 15 total findings • Sherlock • obront

gold

high

Unlinked tophat retains linkedTreeRequests, can be rugged

high

Safe can be bricked because threshold is updated with validSignerCount instead of newThreshold

high

Signers can bypass checks to add new modules to a safe by abusing reentrancy

high

If another module adds a module, the safe will be bricked

high

Other module can add owners to safe that push us above maxSigners, bricking safe

high

Signers can brick safe by adding unlimited additional signers while avoiding checks

high

Signers can bypass checks and change threshold within a transaction

medium

Owners of linkedin tophats cannot have eligibility revoked

medium

Changing hat toggle address can lead to unexpected changes in status

medium

targetThreshold can be set below minThreshold, violating important invariant

medium

Swap Signer fails if final owner is invalid due to off by one error in loop

medium

If a hat is owned by address(0), phony signatures will be accepted by the safe

medium

If signer gate is deployed to safe with more than 5 existing modules, safe will be bricked

medium

Safe threshold can be set above target threshold, causing transactions to revert

medium

Can get around hats per level constraints using phantom levels

Blueberry

Blueberry

29,535.81 USDC • 13 total findings • Sherlock • obront

gold

high

Users can be liquidated prematurely because calculation understates value of underlying position

high

Liquidator can take all collateral and underlying tokens for a fraction of the correct price

high

Users can get around MaxLTV because of lack of strategyId validation

high

LP tokens are not sent back to withdrawing user

high

IchiLPOracle does not use correct LP Pricing, vulnerable to flash loan attack

high

Users who deposit extra funds into their Ichi farming positions will lose all their ICHI rewards

medium

Check for stale data before trusting Chainlink's response

medium

Withdrawals from IchiVaultSpell have no slippage protection so can be frontrun, stealing all user funds

medium

HardVault never deposits assets to Compound

medium

LP tokens cannot be valued because ICHI cannot be priced by oracle, causing all new open positions to revert

medium

Complete debt size is not paid off for fee on transfer tokens, but users aren't warned

medium

totalLend isn't updated on liquidation, leading to permanently inflated value

medium

If a token's oracle goes down or price falls to zero, liquidations will be frozen

Jan '23

Optimism

Optimism

218,139.70 USDC • 5 total findings • Sherlock • obront

gold

high

Malicious user can finalize other’s withdrawal with less than specified gas limit, leading to loss of funds

high

Withdrawals with high gas limits can be bricked by a malicious user, permanently locking funds

medium

Migration can be bricked by sending a message directly to the LegacyMessagePasser

medium

Censorship resistance is undermined and bridging of assets can be DOSed at low cost

medium

Batcher frames are incorrectly decoded leading to consensus split

Sentiment Update #3

Sentiment Update #3

8,285.71 USDC • 3 total findings • Sherlock • obront

gold

medium

GMX RewardRouterV2 allows redeeming to a different address, leading to incorrect tokensIn

medium

GMX RewardRouter's compound() function does not return WETH

medium

Using one controller for two addresses could risk signature collisions

Astaria contest

Astaria contest

8,257.11 USDC • 15 total findings • Code4rena • obront

gold

high

Attacker can take loan for Victim

high

Anyone can wipe complete state of any collateral at any point

high

Borrower can use liquidationInitialAsk to block future borrowers

high

Buying out corrupts the slope of a vault, reducing rewards of LPs

high

Vault may be drained after a liquidated NFT was claimed by the liquidator

high

ERC4626Cloned deposit and mint logic differ on first deposit

high

Deadlock in valuts with underlying token with less then 18 decimals

medium

Users can liquidate themselves before others, allowing them to take 13% above their borrowers

medium

Users are forced to approve Router for full collection to use commitToLiens() function

medium

Position not deleted after debt paid.

medium

WithdrawProxy allows redeem() to be called before withdraw reserves are transferred in

medium

Overflow potential in processEpoch()

medium

minDepositAmount is unnecessarily high, can price out many users

medium

Processing an epoch must be done in a timely manner, but can be halted by non liquidated expired liens

medium

Lack of support for fee-on-transfer token

Dec '22

Forgeries contest

Forgeries contest

64.93 USDC • 1 total finding • Code4rena • obront

#20

high

Admin does not have to wait to call `lastResortTimelockOwnerClaimNFT()`

Caviar contest

Caviar contest

330.05 USDC • 2 total findings • Code4rena • obront

#20

high

Liquidity providers may lose funds when adding liquidity

medium

Price will not always be 18 decimals, as expected and outlined in the comments

Rain

Rain

709.40 USDC • Sherlock • obront

#5

Findings not publicly available for private contests.

prePO contest

prePO contest

96.82 USDC • 1 total finding • Code4rena • obront

#27

medium

Manager can get around min reserves check, draining all funds from Collateral.sol

Escher contest

Escher contest

380.74 USDC • 5 total findings • Code4rena • obront

#16

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

medium

ETH will get stuck if all NFTs do not get sold.

medium

Unsafe downcasting operation truncate user's input

medium

Escher721 contract does not have setTokenRoyalty function

medium

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

NounsDAO

NounsDAO

114.65 USDC • 1 total finding • Sherlock • obront

#6

medium

Payer cannot withdraw accidental extra funds sent to the contract without canceling

Nov '22

Bull v Bear

Bull v Bear

39.76 USDC • 1 total finding • Sherlock • obront

#15

medium

Bulls that are unable to receive NFTs will not be able to claim them later

Bond Protocol

Bond Protocol

10,695.08 USDC • 2 total findings • Sherlock • obront

silver

high

Fixed Term Teller tokens can be created with an expiry in the past

medium

Fixed Term Bond tokens can be minted with non-rounded expiry

Float Capital

Float Capital

6,561.67 USDC • 1 total finding • Sherlock • obront

silver

medium

Funding Rate calculation is not correct

Sentiment Update

Sentiment Update

10,785.71 USDC • 5 total findings • Sherlock • obront

gold

high

Non terminal tokens received via Balancer batchSwap are not accounted for

medium

Curve LP staking allows adding false tokensIn to account by setting _claim_rewards to false

medium

Curve LP Controller withdraw and claim function uses wrong signature

medium

No check for active Arbitrum Sequencer in WSTETH Oracle

medium

User can trade away an asset using Balancer batchSwap without removing it from account

Oct '22

Astaria

Astaria

10,311.40 USDC • 20 total findings • Sherlock • obront

silver

high

isValidRefinance will approve invalid refinances and reject valid refinances due to buggy math

high

isValidRefinance checks both conditions instead of one, leading to rejection of valid refinances

high

Liens do not reset payee after buyout

high

Payments made for all liens on a collateral token will only pay the first lien

high

_deleteLienPosition() function is public

high

liquidationAccountant can be claimed at any time

high

liquidationAccountant can be claimed multiple times, losing a portion of all vault holders' funds

high

Claiming liquidationAccountant will reduce vault y-intercept by more than the correct amount

high

Strategists are paid 10x the vault fee because of a math error

high

Auctions can end in epoch after intended, underpaying withdrawers

high

Any public vault without a delegate can be drained

high

nlrType type is not signed by strategist, which could allow fraudulent behavior as new types are added

high

maxPotentialDebt can be exceeded due to faulty calculation

medium

createAuction sets firstBidTime as time of creation rather than first bid

medium

Bids cannot be created within timeBuffer of completion of a max duration auction

medium

Vault Fee uses incorrect offset leading to wildly incorrect value, allowing strategists to steal all funds

medium

_getInterest() function uses block.timestamp instead of the inputted timestamp

medium

_payment() function transfers full paymentAmount, overpaying first liens

medium

timeToEpochEnd calculates backwards, breaking protocol math

medium

_validateCommitment fails for approved operators

NFTPort

NFTPort

3,196.90 USDC • 3 total findings • Sherlock • obront

gold

medium

Operators can get signed data once and bypass SDK fees for calls

medium

Missing check for equal length arrays in transferByOwnerBatch and mintByOwnerBatch

medium

Deployer can set royalties to greater than 100%

Union Finance

Union Finance

1,247.19 USDC • 2 total findings • Sherlock • obront

#8

medium

getUserInfo() returns incorrect values for locked and stakedAmount

medium

cancelVouch breaks voucher and vouchee index tracking, creating opportunity for user theft

Blur Exchange contest

Blur Exchange contest

114.82 USDC • 1 total finding • Code4rena • obront

#20

high

StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amount

Sep '22

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

28.01 USDC • Code4rena • obront

#69

VTVL contest

VTVL contest

270.52 USDC • 3 total findings • Code4rena • obront

#23

high

Loss of vested amounts

medium

not able to create claim

medium

Supply cap of VariableSupplyERC20Token is not properly enforced

Art Gobblers contest

Art Gobblers contest

525.56 USDC • 1 total finding • Code4rena • obront

#17

medium

The reveal process could brick if `randProvider` stops working

Aug '22

Sentiment

Sentiment

5,238.50 USDC • 6 total findings • Sherlock • obront

bronze

high

First depositor into each LToken can break share calculation and steal funds

medium

Uniswap contract added to controller doesn't match with function signatures

medium

Chainlink oracle price data could be stale

medium

LTokens will not work with fee-on-transfer tokens

medium

Missing revert keyword

medium

Users can avert liquidation by getting blacklisted in USDC or USDT

Rigor Protocol contest

Rigor Protocol contest

194.9 USDC • 1 total finding • Code4rena • obront

#33

medium

It should not submit a project with no total budget. Requires at least one task with cost > 0

Jul '22

Golom contest

Golom contest

291.35 USDC • Code4rena • obront

#40

Jun '22

Infinity NFT Marketplace contest

Infinity NFT Marketplace contest

11.08 USDC • 1 total finding • Code4rena • obront

#80

high

Accumulated ETH fees of InfinityExchange cannot be retrieved

Apr '22

Backed Protocol contest

Backed Protocol contest

32.93 USDC • Code4rena • obront

#37

Mar '22

LI.FI contest

LI.FI contest

253.1 USDC • 1 total finding • Code4rena • obront

#35

medium

Anyone can get swaps for free given certain conditions in `swap`.