https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/8775f3a1-21c4-4464-afa2-a73c3b76d31c.jpg

pashap9990

Security Researcher

Web3 Security Enthusiast 🥷

Contact Me

High

20

Total

Medium

2

Solo

30

Total

$11.19K

Total Earnings

#509 All Time

16x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

regular

7x

Top 10

All

Sherlock

Apr '25

ZKP2P V2

ZKP2P V2

2,535.49 OP • Sherlock • pashap9990

silver

Findings not publicly available for private contests.

Jan '25

Peapods

Peapods

2,045.15 USDC • 4 total findings • Sherlock • pashap9990

#8

medium

Malicious actors can front-run setYieldConvEnabled

medium

The protocol gets fee more than expected

medium

Users pay fee just when remaining pTkn is greater than zero

medium

`AutoCompoundingPodLp::_totalAssets` is stale in some cases and users get more share than real amount

Plaza Finance

Plaza Finance

21.30 USDC • 4 total findings • Sherlock • pashap9990

#66

high

`Auction::endAuction` will be reveretd because of `Pool::transferReserveToAuction`

medium

`Auction::bid` can be reverted because of blocked addresses

medium

Malicious actors can prevent auction to be succeed

medium

There isn't data feed in term of USD for all assets mentioned in Readme

Dec '24

Autonomint Colored Dollar V1

Autonomint Colored Dollar V1

412.01 OP • 13 total findings • Sherlock • pashap9990

#10

high

users can pass arbitrary strike price as parameter to Borrowing::depositTokens

high

Users can use signatures multiple time that has been generated by the admin in borrowing contract

high

malicious actors can drain treasury

high

There isn't any force for users to call `Borrowing::renewOptions`

medium

BorrowLib::borrowerDebt will be computed based on stale cumulative rate

medium

hasDeposited remain true when depositedAmountInETH is zero

medium

Borrowing::liquidate will be reverted

medium

synthetixPerpsV2.transferMargin will be reverted because of insufficient token amount

medium

sUSDs will be stuck in Synthetix

medium

multiSign::executeSetterFunction can be call by anyone

medium

users can pass arbitrary volatility as parameter to Borrowing::depositTokens and change option fee in favor of themself

medium

legitimate users cannot withdraw their assets from CDS contract

medium

dust amounts will be removed in OFT tokens

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

130.79 USDC • 4 total findings • Sherlock • pashap9990

#22

high

users pay fee more than actual value in ReputationMarket::buyVotes

high

withdrawGraduatedMarketFunds will be reverted because of insufficient balance

medium

lack of slippage control in sellVotes

medium

users pay fee more than expected in EthosVouch::vouchByAddress

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • pashap9990

gold

high

malicious user can steal other users' assets

Debita Finance V3

Debita Finance V3

120.51 USDC • 3 total findings • Sherlock • pashap9990

#25

high

NFTs will be locked in buyOrder contract

medium

users cannot claim their incentives because of precision loss

medium

malicious users can steal other users' incentives

Oct '24

Orderly Solana Vault Contract

Orderly Solana Vault Contract

824.07 USDC • 1 total finding • Sherlock • pashap9990

#5

high

malicious user can drain solana vault

Aug '24

Velar Artha PerpDEX

Velar Artha PerpDEX

1,746.28 USDC • 2 total findings • Sherlock • pashap9990

#5

medium

Funding fee will be zero because of precision loss

medium

LPs cannot specify min amount received in burn function, causing loss of fund for them

Midas - Instant Minter/Redeemer

Midas - Instant Minter/Redeemer

1,861.95 USDC • 2 total findings • Sherlock • pashap9990

#5

medium

buidl tokens will be locked in RedemptionVaultWIthBUIDL

medium

Admin cannot update some global vars based on specification

Winnables Raffles

Winnables Raffles

31.84 USDC • 2 total findings • Sherlock • pashap9990

#23

high

Admin cannot withdraw leftover assets in winnerableTicketManager contract

medium

Admins can change raffle's winner in favor of themself

Jul '24

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

456.02 USDC • 4 total findings • Sherlock • pashap9990

#11

high

‌Bribe givers cannot sweep their residual assets

high

Voters cannot claim their rewards

high

If a user sets BribeRewarder for a specific pool all votes for that pool will be reverted

medium

_accRewardsPerShare is computed wrongly if unlockOperator calls emergencyWithdraw

Velocimeter

Velocimeter

507.79 USDC • 2 total findings • Sherlock • pashap9990

#18

high

voters cannot disable max lock

high

exerciseVe and exerciseLp are vulnerable to MEV

May '24

Elfi

Elfi

398.14 USDC • 7 total findings • Sherlock • pashap9990

#12

high

Users can manipulate their balance without any cost

high

Stakers cannot redeem their funds

high

stakers loss their reward if they redeem their xToken

medium

User can deposit more than collateral user capacity

medium

lossFee always will be zero in process execution fee

medium

Users loss their payed executionFee if the protocol calls autoReducePositions function

medium

autoReducePositions function can has significant losses for the protocol

Kwenta x Perennial Integration Update

Kwenta x Perennial Integration Update

0.34 USDC • Sherlock • pashap9990

#12

Apr '24

Zivoe

Zivoe

2.24 USDC • 1 total finding • Sherlock • pashap9990

#55

high

Malicious user can postpone ZVE stakers reward