Security Researcher
Over 40 solo smart contract security reviews done, over 60 Critical & High severity issues found. Trusted by multiple 8 & 9 figure TVL protocols
High
Total
Medium
Total
Total Earnings
#370 All Time
Payouts
1st Places
3rd Places
Top 10
All
Sherlock
Code4rena
Dec '22
Findings not publicly available for private contests.
Nov '22
Oct '22
high
Griefing attack vector in `Lender.sol` `mint()` can result in big value loss for users
medium
Some tokens (USDT) expect to always have zero allowances before approving a non-uint256.max amount
medium
Missing token approvals can result in DoS in `Marketplace.sol`
medium
ERC5095::mint checks slippage with underlying amount when it should check with principal (shares) amount
Sep '22
medium
Centralization risk: admin have privileges: admin can set address to mint any amount of frxETH, can set any address as validator, and change important state in frxETHMinter and withdraw fund from frcETHMinter
medium
removeValidator() and removeMinter() may fail due to exceeding gas limit
medium
frxETHMinter: Non-conforming ERC20 tokens not recoverable
Aug '22
high
Some functionalities in `LEther.sol` & `LToken.sol` are not calling `beforeDeposit` and `beforeWithdraw` hooks
high
Price decimals assumptions in `ChainlinkOracle.sol` & `ArbiChainlinkOracle.sol` can lead to incorrect calculation of price
medium
Incomplete price validation for Chainlink’s `latestRoundData` in `ChainlinkOracle.sol` & `ArbiChainlinkOracle.sol` can lead to overleveraged borrowing
Jul '22
Jun '22
high
Redeemer.redeem() for Element withdraws PT to wrong address.
high
Funds may be stuck when `redeeming` for Illuminate
high
Illuminate PT redeeming allows for burning from other accounts
medium
Lend method signature for illuminate does not track the accumulated fee
medium
sellPrincipalToken, buyPrincipalToken, sellUnderlying, buyUnderlying uses pool funds but pays msg.sender
medium
Centralisation Risk: Admin Can Change Important Variables To Steal Funds