https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/3ee50d15-43f0-4b21-8749-cb1bcbda2ae3.jpg

oxelmiguel

Security Researcher

Smart contract security researcher and blockchain engineer

Contact Me

High

Total

Medium

Total

$11.45K

Total Earnings

#499 All Time

11x

Payouts

1x

2nd Places

1x

3rd Places

3x

Top 10

All

Sherlock

Code4rena

CodeHawks

Feb '25

SEDA Protocol

21.95 USDC • 1 total finding • Sherlock • oxelmiguel

#22

high

Attacker Will Inflate Voting Power to Manipulate Consensus

Rova

0.04 USDC • 1 total finding • Sherlock • oxelmiguel

medium

Improper Validation Checks Will Affect User Participation Limits

Jan '25

Liquid Ron

0 USDC • 1 total finding • Code4rena • oxelmiguel12

#12

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Part 2

1,299.62 usdc • 7 total findings • CodeHawks • oxelmiguel

#14

high

Incorrect Credit Capacity Validation in `VaultRouterBranch.redeem` Enables Locked Collateral Drainage

high

Vaults weth reward is not distributed correctly

high

Unclaimed Rewards Loss Due to Missing Validation in `VaultRouterBranch.stake()`

high

Incorrect Debt Check in `CreditDelegationBranch::settleVaultsDebt` Function

high

Incorrect calculation in CreditDelegationBranch::withdrawUsdTokenFromMarket allows attacker mint any amount of usdz

medium

Attacker can manipulate the amount of output tokens of users in ZlpVault

medium

Issue with Decimal Offset Calculation Leading to Weak Donation Protection

Plaza Finance

0.18 USDC • 1 total finding • Sherlock • oxelmiguel

#100

high

Incorrect Period Reference in `transferReserveToAuction` Leading to Denial of Service for Auction Contracts

Sep '24

Staking

1,375.83 USDC • CodeHawks • oxelmiguel

#15

Boost Core Incentive Protocol

8,001.42 USDC • 5 total findings • Sherlock • oxelmiguel

high

Boost Creators Unable to Retrieve Funds or Draw Raffle Winners Due to Missing Entry Points

high

Malicious Actor Can Block Incentive Claims for Legitimate Users

medium

Inability to Handle Fee-on-Transfer Tokens in Budget Allocation

medium

Unlimited Referral Fee Allows Boost Creator to Bypass Protocol Fee

medium

Vulnerable Randomness in drawRaffle() Allows Manipulation of Raffle Results by Malicious Actors

Aug '24

Cork Protocol

511.85 USDC • 3 total findings • Sherlock • oxelmiguel

high

Incorrect RA Transfer on Reserve's DS Sale

high

The lvRedeemRaWithCtDs Function Fails to Reduce Locked RA When Burning CT and DS

high

Inconsistent application of exchange rate

ZeroLend One

10.48 USDC • 1 total finding • Sherlock • oxelmiguel

#44

high

Incorrect Supply and Debt Balance Calculation in PositionBalanceConfiguration

Winnables Raffles

1.80 USDC • 1 total finding • Sherlock • oxelmiguel

#37

high

Failure to Update _lockedETH Will Cause Withdrawal Failures for Contract Admin

Tadle

229.45 USDC • 7 total findings • CodeHawks • oxelmiguel

#25

high

TokenManager - Unlimited withdraw

high

Native token withdrawal fails until manually approved

high

Formulaic Error Rounds Down Causing Total Loss Of Funds For Bid Takers During Abort

high

Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode

high

Token withdrawal fails until someone manually approves spending

high

Fund Withdrawal Flaw in preMarket Allows Users to Avoid Settlement Obligations

low

`listOffer` Unsafely References Fungible Identifiers