https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/84b3a20d-d538-4171-b083-ba78da87464f.jpg

patitonar

Web3 Security Researcher

prev 5+ years Senior Solidity Developer

Contact Me

High

36

Total

Medium

26

Total

$3.73K

Total Earnings

#894 All Time

16x

Payouts

bronze

1x

3rd Places

regular

6x

Top 10

regular

10x

Top 25

All

Sherlock

Code4rena

Cantina

CodeHawks

May '25

LEND

LEND

438.65 USDC • 14 total findings • Sherlock • patitonar

#10

high

Users will drain LEND tokens by claiming rewards multiple times

high

Protocol will lose accumulated liquidation rewards due to missing withdrawal mechanism

high

Users will receive incorrect token amounts due to stale exchange rates

high

User will clear same-chain debt by repaying only cross-chain debt

high

User will clear same-chain debt on destination chain by repaying only cross-chain debt

high

User will increase same-chain debt on destination chain by repaying cross-chain debt

high

Incorrect liquidation validation leads to loss of funds for borrowers or protocol insolvency

high

User will over-borrow across multiple chains by exploiting stale collateral checks

high

First-time borrowers will drain protocol liquidity by bypassing collateral requirements

high

Invariant check will cause complete denial of service for borrowers when users perform bidirectional cross-chain operations

high

Users will receive double LEND rewards when having cross-chain positions

medium

Borrower will lose seized collateral when liquidator repays debt during cross-chain liquidation with an invalid amount

medium

User will be unable to borrow up to their full collateral capacity due to double application of interest calculation

medium

Liquidator will be unable to liquidate up to the proper close factor due to incorrect principal amount usage in liquidation calculations

Apr '25

infinifi-protocol

infinifi-protocol

534.69 USDC • 1 total finding • Cantina • patitonar

#19

medium

Finding not yet public.

Mar '25

Forte: Float128 Solidity Library

Forte: Float128 Solidity Library

345.88 USDC • 1 total finding • Code4rena • patitonar

#19

high

Unwrapping while equating inside the `eq` function fails to account for the set `L_MATISSA_FLAG`

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

9.86 USDC • Sherlock • patitonar

#51

Crestal Network

Crestal Network

101.35 USDC • 4 total findings • Sherlock • patitonar

bronze

high

Missing authorization check in `Payment::payWithERC20()` allows unauthorized token transfers

medium

Missing worker deployment timeout mechanism leads to permanently stuck deployments

medium

Missing signature invalidation in `BlueprintCore::updateWorkerDeploymentConfigWithSig()` allows token balance draining and configuration update replay

medium

Incomplete whitelist implementation in `BlueprintCore` allows bypass of agent creation restrictions

badger-ebtc-bsm

badger-ebtc-bsm

14.85 USDC • 1 total finding • Cantina • patitonar

#31

high

Finding not yet public.

Feb '25

Yieldoor

Yieldoor

11.40 USDC • 1 total finding • Sherlock • patitonar

#27

medium

Inconsistent negative modulo handling causes incorrect tick calculations for secondary positions

THORWallet

THORWallet

0 USDC • 1 total finding • Code4rena • patitonar

#10

medium

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Core Contracts

Core Contracts

390.27 usdc • 33 total findings • CodeHawks • patitonar

#57

high

ZENO Token Redemption Returns Negligible USDC Amount Compared to Purchase Price

high

Incorrect decimal handling in `Auction::buy()` leads to massive overpayment for ZENO tokens

high

`BaseGauge` users can claim rewards without staking

high

Multiple issues from unnecessary balance increase calculation in DebtToken.mint

high

Reward manipulation vulnerability in StabilityPool

high

RToken's transfer function lead to loss of funds due to incorrect math

high

NFTs Get Permanently Locked in Stability Pool After Liquidation

high

Any attempt to liquidate a user will fail, because StabilityPool does not hold crvUSD during operational lifecycle

high

Double Usage Index Scaling in StabilityPool Liquidation Inflates Required CRVUSD Balance

high

Ownership Parameter Mismatch in LendingPool’s Vault Withdrawal Logic

high

Multiple calls to `BaseGauge::notifyRewardAmount()` override existing reward rate, causing loss of rewards for stakers

high

Hardcoded Exchange Rate Leading to Incorrect Deposits and Redemptions

high

Users can lose additional collateral by depositing NFTs after grace period expiration

high

Gauge reward system can be gamed with repeatedly stake/withdraw

medium

Missing Vote Frequency Control in GaugeController

medium

Incorrect DebtToken totalSupply Scaling Breaks Interest Rate Calculations

medium

LendingPool deposits do not work with CurveVault due to lack of funds

medium

Users Can Lose Funds and Collateral by Repaying Loans After Liquidation Grace Period Expiry

medium

Liquidation Cannot Be Closed Even With Healthy Position Due To Strict Debt Check

medium

Using balanceOf Instead of Voting Power

medium

There is no logic checking for RAACNFT price staleness before minting it

medium

`RToken::calculateDustAmount` are incorrectly calculated, leading to not be able to transfer the accrued dust amount

medium

Treasury Contract Deposit Function Can Be Frontrun To Deny Protocol Operations

medium

`GaugeController::distributeRewards` can be called multiple times by anyone, leading to excessive reward distribution

medium

Fee-on-transfer token handling issue in `Treasury::deposit` leads to permanent fund loss

medium

Wrong access control in `RAACToken::setFeeCollector`, `RAACToken::setSwapTaxRate`, `RAACToken::setBurnTaxRate`

medium

`RAACReleaseOrchestrator::emergencyRevoke()` fails to update `categoryUsed`, leading to token lockup and incorrect accounting

medium

Cordinated group of attacker can artificially lower quorum threshold during active proposals forcing malicious proposals to pass without true majority support.

low

Emergency Timelock Bypass: No Enforced 1-Day Delay for Emergency Actions

low

Incorrect Initialization of minBoost in BaseGauge Constructor Breaks Core Contract Functionality

low

Borrow, withdraw, deposit revert due to curve vault not having available liquidity or being paused.

low

`LendingPool` yield generated in curve vault is lost and cannot be withdrawn by users

low

`Auction::checkAuctionEnded()` function fails to handle early auction completion when all ZENO tokens are sold, potentially blocking critical post-auction processes

Jan '25

Next Generation

Next Generation

337.9 USDC • 2 total findings • Code4rena • patitonar

#5

high

Cross-Chain Signature Replay Attack Due to User-Supplied `domainSeparator` and Missing Deadline Check

medium

Lack of deadline check in forwarded request

daao-contracts

daao-contracts

113.55 USDC • 7 total findings • Cantina • patitonar

#34

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

May '23

Ajna Protocol

Ajna Protocol

327.76 USDC • 2 total findings • Code4rena • patitonar

#26

high

Claiming accumulated rewards while the contract is underfunded can lead to a loss of rewards

medium

Potential unfair distribution of Rewards due to MEV in updateBucketExchangeRatesAndClaim

Sep '21

bveCVX by BadgerDAO contest

bveCVX by BadgerDAO contest

264.71 tokens) • Code4rena • patitonar

#7

Aug '21

Gravity Bridge contest

Gravity Bridge contest

95.63 USDC • Code4rena • patitonar

#11

Float Capital contest

Float Capital contest

24.58 USDC • Code4rena • patitonar

#14

Jul '21

Sherlock contest

Sherlock contest

720.12 USDC • Code4rena • patitonar

#10