https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_8.png

p0wd3r

Security Researcher

Contact Me

High

16

Total

Medium

29

Total

$18.15K

Total Earnings

#374 All Time

21x

Payouts

regular

8x

Top 10

regular

14x

Top 25

regular

19x

Top 50

All

Sherlock

Code4rena

Jan '25

Aave v3.3

Aave v3.3

793.47 USDC • Sherlock • p0wd3r

#32

Pump Science

Pump Science

85.73 USDC • 1 total finding • Code4rena • p0wd3r

#9

medium

Last buy might charge the wrong fee

Nov '24

MANTRA DEX

MANTRA DEX

305.03 USDC • 1 total finding • Code4rena • p0wd3r

#17

high

Attackers can force the rewards to be stuck in the contract with malicious `x/tokenfactory` denoms

MANTRA Chain

MANTRA Chain

1,408.95 USDC • 1 total finding • Code4rena • p0wd3r

#6

high

Potentially sensitive issue - disclosed privately

Sep '24

MorphL2

MorphL2

2,670.20 USDC • 3 total findings • Sherlock • p0wd3r

#10

medium

revertBatch incorrectly reset inChallenge.

medium

After being removed, the staker cannot claim the deserved commission before.

medium

Cannot get all the stakers from the bitmap.

Aug '24

Winnables Raffles

Winnables Raffles

170.91 USDC • 4 total findings • Sherlock • p0wd3r

#12

high

If a refund has occurred, the owner will not be able to withdraw the full proceeds from the raffle.

high

The attacker can prevent createRaffle and waste the LINK in the contract.

medium

Drawable raffle can be canceled.

medium

Admin can prevent winner from withdrawing prize

Jul '24

TraitForge

TraitForge

341.4 USDC • 7 total findings • Code4rena • p0wd3r

#13

high

Wrong minting logic based on total token count across generations

medium

Lack of Slippage Protection in Dynamic Pricing Mint Function

medium

There is no slippage check in the `nuke()` function.

medium

Forger Entities can forge more times than intended

medium

Pause and unpause functions are inaccessible

medium

Excess ETH from `forgingFee` can get stuck in `EntityForging` under certain situations

medium

Discrepancy between nfts minted, price of nft when a generation changes & position of `_incrementGeneration()` inside `_mintInternal()` & `_mintNewEntity()`

May '24

Sophon Farming Contracts

Sophon Farming Contracts

1,196.48 USDC • 1 total finding • Sherlock • p0wd3r

#4

high

The quantity is calculated incorrectly when depositing ETH to weETH.

Apr '24

Renzo

Renzo

114.85 USDC • 4 total findings • Code4rena • p0wd3r

#34

high

Incorrect withdraw queue balance in TVL calculation

high

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

high

Incorrect calculation of queued withdrawals can deflate TVL and increase ezETH mint rate

medium

stETH/ETH Feed being used opens up to 2 way deposit<->withdrawal arbitrage

Nov '23

ZetaChain

ZetaChain

6,080.22 USDC • 8 total findings • Code4rena • p0wd3r

#7

high

Tombstoned observer can maliciously add a duplicate observer address resulting in forfeiting voting rewards of targeted observers

medium

`ZetaSupplyChecker` calculation error

medium

When updating gas, if one chain fails, the others should continue to be updated instead of being skipped.

medium

The `unwhitelist` function of `ERC20Custody` cannot be invoked.

medium

Lagging median gas price when the set of observers changes

medium

The `Sender` of an outbound cctx originating from the zEVM is potentially set to an incorrect sender address resulting in lost assets during a refund

medium

Funds from reverted transaction may be lost/locked

medium

PayGasFeeInZetaAndUpdateCctx() is prone to slippage, causing sender overpays the revert gas and lose returned funds

Sep '23

Allo V2

Allo V2

42.21 USDC • 3 total findings • Sherlock • p0wd3r

#49

medium

The `distribute` function in `RFPSimpleStrategy` cannot be executed multiple times.

medium

`fundPool` does not work with fee-on-transfer token

medium

`DonationVotingMerkleDistributionVaultStrategy` does not work with fee-on-transfer tokens

Delegate

Delegate

311.51 USDC • Code4rena • p0wd3r

#7

Jul '23

Tokemak

Tokemak

509.67 USDC • 5 total findings • Sherlock • p0wd3r

#29

high

ETH deposited by the user may be stolen.

high

queueRewards will be locked in the contract and will not be distributed.

high

Destination Vault rewards are not added to idleIncrease when info.totalAssetsPulled > info.totalAssetsToPull

high

Since no transfer is made to the swapper, the swap in the liquidation process will be invalidated.

medium

Multiple calls to queueNewRewards when there's no supply in the vault will result in some rewards being locked in the contract and unable to be distributed.

GFX Labs

GFX Labs

1,434.84 USDC • 1 total finding • Sherlock • p0wd3r

#4

high

fastGasFeed's answer should check if it is greater than MAX_GAS_PRICE.

Jun '23

Symmetrical

Symmetrical

76.36 USDC • 1 total finding • Sherlock • p0wd3r

#33

high

PartyA/B can avoid being liquidated through front-running allocate.

May '23

Iron Bank

Iron Bank

0.03 USDC • 1 total finding • Sherlock • p0wd3r

#24

medium

There is a lack of verification for the update time of the oracle data.

Apr '23

JOJO Exchange

JOJO Exchange

1,491.57 USDC • 2 total findings • Sherlock • p0wd3r

#11

medium

Subaccount is expected to be able to send ETH but doesn't have any payable functions to receive ETH

medium

Insurance account’s bad debt can be cleared

Frankencoin

Frankencoin

22.6 USDC • Code4rena • p0wd3r

#66

Caviar Private Pools

Caviar Private Pools

31 USDC • Code4rena • p0wd3r

#61

Mar '23

Gitcoin

Gitcoin

353.99 USDC • Sherlock • p0wd3r

#10

Y2K

Y2K

710.62 USDC • 2 total findings • Sherlock • p0wd3r

#21

medium

There is a lack of verification for the update time of the oracle data.

medium

In certain situations, legitimate users may not be able to participate in Rollover.