https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/f465d6ad-cbc9-4218-8cf4-d6127e906008.jpg

oot2k

Security Researcher

Judging and Auditing on sherlock

Contact Me

High

8

Total

Medium

5

Solo

23

Total

$65.04K

Total Earnings

#131 All Time

18x

Payouts

gold

5x

1st Places

silver

1x

2nd Places

bronze

1x

3rd Places

All

Sherlock

May '25

MetaLend - May 19th 2025

MetaLend - May 19th 2025

Collaborative Audit • Sherlock • oot2k

Apr '25

Lazy Bear

Lazy Bear

Collaborative Audit • Sherlock • oot2k

40acres Finance - Optimized Rewards

40acres Finance - Optimized Rewards

Collaborative Audit • Sherlock • oot2k

1inch - Fee Flow Audit

1inch - Fee Flow Audit

Collaborative Audit • Sherlock • oot2k

Mar '25

40acres Finance veLending

40acres Finance veLending

Collaborative Audit • Sherlock • oot2k

DODO Aerodrome

DODO Aerodrome

Collaborative Audit • Sherlock • oot2k

Symmio, Staking and Vesting

Symmio, Staking and Vesting

8.89 USDC • 1 total finding • Sherlock • oot2k

#17

medium

User is blocked from providing liquidity in case he has more then half of his tokens unlocked

Feb '25

MetaLend Ronin Lending Protocol

MetaLend Ronin Lending Protocol

Collaborative Audit • Sherlock • oot2k

Nov '24

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • oot2k

gold

high

Attacker can front run VVVVCTokenDistributor's Claim function

Oct '24

Covalent - EWM Light Client

Covalent - EWM Light Client

6,682.79 USDC • Sherlock • PUSH0

gold

Findings not publicly available for private contests.

predict.fun lending market

predict.fun lending market

9,828.83 USDC • 2 total findings • Sherlock • PUSH0

gold

medium

Collateral can already be seized even when negRiskMarket is not fully resolved

medium

Lender can deny a repayment by getting themselves on the USDC blacklist

Aug '24

Perennial V2 Update #3

Perennial V2 Update #3

359.48 USDC • 1 total finding • Sherlock • oot2k

#7

high

Missing onlyOwner modify on updateExtension

Jul '24

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

16,200.97 USDC • 8 total findings • Sherlock • PUSH0

#6

high

Wrong call order for `setTopPoolIdsWithWeights`, resulting in wrong distribution of rewards

high

Bribe rewards are lost if a pool receives no votes during an epoch

high

Unlocked positions can still vote

medium

Bribes can be denied by filling up a farm with fake bribes until `MAX_BRIBES_PER_POOL` limit

medium

Incorrect access control for `_requireOnlyOperatorOrOwnerOf()`. Anyone can call `MlumStaking.addToPosition()` for other users, with various impacts.

medium

Users can artificially create a voting ballot with 2 weeks `lockDuration`, effectively bypassing the 3-month limit

medium

Down Rebasing Tokens will cause bankrun in MlumStaking and MasterChefV2

medium

New staking positions still gets the full reward amount as with old stakings, diluting rewards for old stakers

May '24

Terrace

Terrace

9,404.87 USDC • Sherlock • PUSH0

gold

Findings not publicly available for private contests.

Apr '24

Arcadia - Aerodrome integrations

Arcadia - Aerodrome integrations

1,446.42 USDC • 1 total finding • Sherlock • PUSH0

silver

medium

Max exposure cap can be bypassed on assets using WrappedAerodromeAM.sol

Feb '24

Perpetual

Perpetual

11,350.47 USDC • 4 total findings • Sherlock • PUSH0

bronze

high

LP can instantly arbitrage and drain any Maker by updating the Pyth price

medium

OracleMaker's price with spread does not take into account the new position

medium

USDT/USDC depeg event will pit both makers at a highly risky position due to arbitrage

medium

No slippage check for deposit/withdraw in either Makers

Jan '24

Arcadia

Arcadia

4,084.31 USDC • 2 total findings • Sherlock • PUSH0

#4

medium

`CREATE2` address collision against an Account will allow complete draining of lending pools

medium

L2 sequencer down will push an auction's price down, causing unfair liquidation prices, and potentially guaranteeing bad debt

Covalent

Covalent

4,593.97 USDC • 5 total findings • Sherlock • PUSH0

gold

medium

New staking between reward epochs will dilute rewards for existing stakers. Anyone can then front-run `OperationalStaking.rewardValidators()` to steal rewards

medium

Frontrunning validator freeze to withdraw tokens

medium

No cooldown in `recoverUnstaking()`, opens up several possible attacks by abusing this functionality.

medium

`validatorMaxStake` can be bypassed by using `setValidatorAddress()`

medium

No option to change validator address without also transferring unstakings, leads to lost rewards when a validator has taken more than 300 unstakings (even if through normal usage)

SYMM IO

SYMM IO

42.60 USDC • Sherlock • oot2k

#19

Jul '23

Beam

Beam

62.43 USDC • Sherlock • oot2k

#25

May '23

DODO Margin Trading

DODO Margin Trading

105.99 USDC • 1 total finding • Sherlock • oot2k

#5

high

Everyone can open or close positions from user

Footium

Footium

0.01 USDC • 1 total finding • Sherlock • oot2k

#32

medium

FootiumPrizeDistributor should use SafeERC20 functions

Mar '23

Gitcoin

Gitcoin

70.52 USDC • Sherlock • oot2k

#42

Feb '23

Derby

Derby

685.56 USDC • 3 total findings • Sherlock • oot2k

#12

medium

Manipulate Allocations from game using flashloans

medium

rebalanceBasket can be called before settleRewardsInt to maximize rewards

medium

Incorrect Validation in addToTotalRewards() leads to rewards wrongly getting calculated

OpenQ

OpenQ

14.97 USDC • 1 total finding • Sherlock • oot2k

#46

high

Permanent frezzing of Atomic bounty with broken ERC20/ERC721