https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/7adf15ae-9b0f-4b16-99b5-64702415b825.jpg

peanuts

Security Researcher

Philosopher turned Blockchain Auditor | Web3 Vulnerability Researcher | DM for enquiries | Portfolio: https://t.co/THDLvZzEvw…

Contact Me

High

48

Total

Medium

94

Total

$29.47K

Total Earnings

#273 All Time

91x

Payouts

gold

2x

1st Places

regular

9x

Top 10

regular

41x

Top 25

All

Sherlock

Code4rena

Feb '25

THORWallet

THORWallet

0.35 USDC • 2 total findings • Code4rena • peanuts

#8

high

MergeTgt has no handling if TGT_TO_EXCHANGE is exceeded during the exchange period

medium

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Jan '25

Liquid Ron

Liquid Ron

0.02 USDC • 2 total findings • Code4rena • peanuts

#11

high

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Dec '24

SecondSwap

SecondSwap

4.66 USDC • 3 total findings • Code4rena • peanuts

#51

high

Users can claim more that their actual allotment

medium

Incorrect listing type validation bypasses enforcement of minimum purchase amount

medium

Creator of one vesting plan can affect vesting plans created by other users.

Chainlink Payment Abstraction

Chainlink Payment Abstraction

1,042.11 USDC • Code4rena • peanuts

#5

Aug '24

Chakra

Chakra

38.28 USDT • 4 total findings • Code4rena • peanuts

#44

high

In Starknet already processed messages can be re-submitted and by anyone

medium

A cross-chain message can be initiated with invalid parameters

medium

Does not check if to_chain and to_handler is whitelisted in cross_chain_erc20_settlement

medium

Excessive Authority Granted to Managers in the `ckr_btc.cairo` Contract Presents Significant Management Risks

Superposition

Superposition

291.97 USDC • 2 total findings • Code4rena • peanuts

#17

high

`get_fee_growth_inside` in `tick.rs` should allow for `underflow`/`overflow` but doesn't

medium

No related function to set fee_protocol

Jul '24

TraitForge

TraitForge

3.31 USDC • 6 total findings • Code4rena • peanuts

#74

high

Wrong minting logic based on total token count across generations

medium

There is no slippage check in the `nuke()` function.

medium

Forger Entities can forge more times than intended

medium

Pause and unpause functions are inaccessible

medium

NFTs mature too slowly under default settings.

medium

`Golden God` Tokens can be minted twice per generation

LoopFi

LoopFi

3.52 USDC • 3 total findings • Code4rena • peanuts

#52

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

medium

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

medium

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

Munchables

Munchables

147.76 USDC • 1 total finding • Code4rena • peanuts

#26

high

Single plot can be occupied by multiple renters

Karak Restaking

Karak Restaking

0 USDC • Code4rena • peanuts

#16

MakerDAO Endgame

MakerDAO Endgame

730.82 USDC • Sherlock • peanuts

#65

May '24

Olas

Olas

164.65 USDC • 1 total finding • Code4rena • peanuts

#13

medium

The `refundAccount` is erroneously set to `msg.sender` instead of `tx.origin` when `refundAccount` specified as `address(0)`

LoopFi

LoopFi

70.15 USDC • 3 total findings • Code4rena • peanuts

#9

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

medium

Malicious actor can abuse the minimum shares check in `StakingLPEth` and cause DoS or locked funds for the last user that withdraws

medium

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

Apr '24

Renzo

Renzo

699.87 USDC • 4 total findings • Code4rena • peanuts

#16

high

Incorrect withdraw queue balance in TVL calculation

high

Withdrawals of rebasing tokens can lead to insolvency and unfair distribution of protocol reserves

high

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

medium

stETH/ETH Feed being used opens up to 2 way deposit<->withdrawal arbitrage

NOYA

NOYA

25.06 USDC + NOYA stars • 4 total findings • Code4rena • peanuts

#74

high

`AccountingManager::resetMiddle` will not behave as expected

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

medium

`depositQueue.queue` in `AccountingManager` can be flooded causing a DoS

medium

Using the same heartbeat for multiple price feeds

DYAD

DYAD

446.95 USDC • 4 total findings • Code4rena • peanuts

#26

high

Inability to perform partial liquidations allows huge positions to accrue bad debt in the system

medium

Value of kerosene can be manipulated to force liquidate users

medium

No incentive to liquidate when CR <= 1 as asset received < dyad burned

medium

Liquidation bonus logic is wrong

Mar '24

vVv Vesting & Staking

vVv Vesting & Staking

59.25 USDC • Sherlock • peanuts

#19

Feb '24

Spectra

Spectra

19.59 USDC • Code4rena • peanuts

#22

UniStaker Infrastructure

UniStaker Infrastructure

716.32 USDC • Code4rena • peanuts

#4

Rio Network

Rio Network

830.35 USDC • 2 total findings • Sherlock • peanuts

#18

high

RioLRTWithdrawalQueue.settleEpochFromEigenLayer does not increase the current epoch, resulting in a loop while rebalancing.

medium

Leak of value when waiting for assets to be withdrawn after requesting withdrawal

Althea Liquid Infrastructure

Althea Liquid Infrastructure

167.78 USDC • 2 total findings • Code4rena • peanuts

#15

high

Holders array can be manipulated by transferring or burning with amount 0, stealing rewards or bricking certain functions

medium

`LiquidInfrastructureERC20.sol` disapproved holders keep part of the supply, diluting approved holders revenue.

AI Arena

AI Arena

23.51 USDC • 5 total findings • Code4rena • peanuts

#106

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

high

A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

medium

Can mint NFT with the desired attributes by reverting transaction

medium

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Jan '24

Decent

Decent

834.34 USDC • 5 total findings • Code4rena • peanuts

#11

high

Due to missing checks on minimum gas passed through LayerZero, executions can fail on the destination chain

high

Anyone can update the address of the Router in the DcntEth contract to any address they would like to set.

medium

Potential loss of capital due to fixed fee calculations

medium

Missing access control on UTB:receiveFromBridge allows UTB swaps to be executed without spending bridge fees while bypassing fee/swap instruction signature verification

medium

Users can use the protocol freely without paying any fees by calling the `DecentEthRouter::bridgeWithPayload()` function directly.

Salty.IO

Salty.IO

1,158.39 USDC • 4 total findings • Code4rena • peanuts

#11

high

First depositor can break staking-rewards accounting

medium

changeWallets() can be confirmed immediately after proposalWallets() by manipulating activeTimelock beforehand

medium

Chainlink price feed uses BTC, not WBTC. In case of depegging, oracles will become easier to manipulate.

medium

Reusing a SALT that has already been used for voting can allow a malicious proposal to pass and compromise the protocol.

Curves

Curves

32.99 USDC • 4 total findings • Code4rena • peanuts

#72

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`

high

Unauthorized Access to setCurves Function

medium

Curves::_buyCurvesToken(), Excess of Eth received is not refunded back to the user.

reNFT

reNFT

47.82 USDC • Code4rena • peanuts

#45

Dec '23

Olas

Olas

385.84 USDC • 1 total finding • Code4rena • peanuts

#12

medium

The `refundAccount` is erroneously set to `msg.sender` instead of `tx.origin` when `refundAccount` specified as `address(0)`

Revolution Protocol

Revolution Protocol

227.71 USDC • 3 total findings • Code4rena • peanuts

#29

medium

The quorumVotes can be bypassed

medium

CultureIndex.sol#dropTopVotedPiece() - Malicious user can manipulate topVotedPiece to DoS the whole CultureIndex and AuctionHouse

medium

It may be possible to DoS AuctionHouse by specifying malicious creators

Nov '23

Shell Protocol

Shell Protocol

6,769.17 USDC • Code4rena • peanuts

gold
Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

5.45 USDC • 1 total finding • Code4rena • peanuts

#29

medium

No slippage protection for Market functions

Kelp DAO | rsETH

Kelp DAO | rsETH

4.66 USDC • 1 total finding • Code4rena • peanuts

#53

high

The price of rsEHT could be manipulated by the first staker

Oct '23

NextGen

NextGen

63.9 USDC • 2 total findings • Code4rena • peanuts

#63

medium

Bidder Funds Can Become Unrecoverable Due to 1 second Overlap in `participateToAuction()` and `claimAuction()`

medium

Auction payout goes to AuctionDemo contract owner, not the token owner

Ethena Labs

Ethena Labs

2,133.16 USDC • 3 total findings • Code4rena • peanuts

gold

medium

users still forced to follow previously set cooldownDuration even when cooldown is off (set to zero) before unstaking

medium

Soft Restricted Staker Role can withdraw stUSDe for USDe

medium

Malicious users can front-run to cause a denial of service (DoS) for StakedUSDe due to MinShares checks

Badger eBTC Audit + Certora Formal Verification Competition

Badger eBTC Audit + Certora Formal Verification Competition

117.51 USDC • Code4rena • peanuts

#15

Real Wagmi #2

Real Wagmi #2

88.51 USDC • 1 total finding • Sherlock • peanuts

#17

high

Obtaining sqrtPriceX96 from slot0 may be dangerous if liquidity is low

zkSync Era

zkSync Era

1,050.37 USDC • Code4rena • peanuts

#26

Sep '23

Venus Prime

Venus Prime

4.37 USDC • Code4rena • peanuts

#39

Ondo Finance

Ondo Finance

25.93 USDC • Code4rena • peanuts

#28

Aug '23

Chainlink Staking v0.2

Chainlink Staking v0.2

169.32 USDC • Code4rena • peanuts

#48

Dopex

Dopex

24.83 USDC • 1 total finding • Code4rena • peanuts

#102

medium

Inaccurate swap amount calculation in ReLP leads to stuck tokens and lost liquidity

Jul '23

PoolTogether

PoolTogether

114.54 USDC • 1 total finding • Code4rena • peanuts

#54

high

`Vault.mintYieldFee` FUNCTION CAN BE CALLED BY ANYONE TO MINT `Vault Shares` TO ANY RECIPIENT ADDRESS

Basin

Basin

484.35 USDC • 1 total finding • Code4rena • peanuts

#11

medium

boreWell can be frontrun/DoS-d

Jun '23

Lybra Finance

Lybra Finance

71.41 USDC • 2 total findings • Code4rena • peanuts

#65

medium

Incorrect function call in LybraRETHVault's getAssetPrice

medium

Understatement of `poolTotalPeUSDCirculation` amounts due to incorrect accounting after function `_repay` is called

Llama

Llama

48.22 USDC • Code4rena • peanuts

#23

Stader Labs

Stader Labs

908.3 USDC • 2 total findings • Code4rena • peanuts

#19

medium

Chainlink's `latestRoundData` may return stale or incorrect result

medium

no bidder has incentive to bid the Auction except doing last-minute MEV due to fixed endBlock

May '23

Maia DAO Ecosystem

Maia DAO Ecosystem

220.07 USDC • 2 total findings • Code4rena • peanuts

#51

medium

[M-01] Some functions in Talos contracts does not allow user to supply slippage and deadline, which may cause swap revert

medium

Lack of slippage protection can lead to significant loss of user funds

Chainlink Cross-Chain Services: CCIP and ARM Network

Chainlink Cross-Chain Services: CCIP and ARM Network

45.86 USDC • Code4rena • peanuts

#44

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

82.10 USDC • 6 total findings • Sherlock • peanuts

#23

high

getOwnValuation() calculation may overflow

high

Using slot(0) to derive price is susceptible to price manipulations

high

No slippage check when swapping through Uniswap

high

StableOracleWBTC.sol does not use the WBTC/USD pricefeed

high

getPriceUSD() in StableOracleDAI.sol does not calculate DAI price in terms of USD properly

medium

Chainlink's latestRoundData Might Return Stale Results

Venus Protocol Isolated Pools

Venus Protocol Isolated Pools

1,239.75 USDC • 3 total findings • Code4rena • peanuts

#12

medium

ShortFall contract might transfer incorrect amount of tokens to the highest bidder.

medium

Bad Debt in PoolLens.sol#getPoolBadDebt() is not calculated correctly in USD

medium

It's possible to borrow, redeem, transfer tokens and exit markets with outdated collateral prices and borrow interest

Ajna Protocol

Ajna Protocol

36.24 USDC • Code4rena • peanuts

#49

Footium

Footium

0.01 USDC • 1 total finding • Sherlock • peanuts

#32

medium

Use safetransfer instead of transfer for ERC20 tokens

Apr '23

Blueberry Update

Blueberry Update

13.42 USDC • 1 total finding • Sherlock • peanuts

#15

medium

Round completeness not check in ChainlinkAdapterOracle#latestRoundData

Frankencoin

Frankencoin

104.33 USDC • 2 total findings • Code4rena • peanuts

#45

medium

need alternative ways for fund transfer in `end()` to prevent DoS

medium

Challengers and bidders can collude together to restrict the minting of position owner

Caviar Private Pools

Caviar Private Pools

184.53 USDC • 1 total finding • Code4rena • peanuts

#31

medium

Transaction revert if the baseToken does not support 0 value transfer when charging changeFee

Rubicon v2

Rubicon v2

52.11 USDC • 1 total finding • Code4rena • peanuts

#78

medium

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

Mar '23

Gitcoin

Gitcoin

90.56 USDC • Sherlock • peanuts

#35

Asymmetry contest

Asymmetry contest

503.56 USDC • 5 total findings • Code4rena • peanuts

#16

high

Staking, unstaking and rebalanceToWeight can be sandwiched (Mainly rETH deposit )

high

`WstEth` derivative assumes a ~1=1 peg of stETH to ETH

medium

Non-ideal rETH/WETH pool used pays unnecessary fees

medium

DoS due to external call failure

medium

Lack of deadline for uniswap AMM

Polynomial Protocol contest

Polynomial Protocol contest

39.43 USDC • Code4rena • peanuts

#31

Y2K

Y2K

16.77 USDC • 1 total finding • Sherlock • peanuts

#58

medium

Chainlink oracle's price check may be insufficient validated

Neo Tokyo contest

Neo Tokyo contest

29.67 USDC • Code4rena • peanuts

#21

Wenwin contest

Wenwin contest

318.44 USDC • 1 total finding • Code4rena • peanuts

#16

medium

The buyer of the ticket could be front-runned by the ticket owner who claims the rewards before the ticket's NFT is traded

Taurus

Taurus

183.09 USDC • 1 total finding • Sherlock • peanuts

#10

high

Protocol assumes that all future collateral will have 18 decimal places

Feb '23

Surge

Surge

160.57 USDC • 2 total findings • Sherlock • peanuts

#12

high

First depositor can break minting of shares

high

If the collateral token and loan token does not have the same decimal places, collateral ratio will be broken

Ethos Reserve contest

Ethos Reserve contest

61.26 USDC • Code4rena • peanuts

#33

Carapace

Carapace

33.35 USDC • 2 total findings • Sherlock • peanuts

#32

high

ProtectionPool#withdraw does not check the cycle state

high

Possible DoS of functions by exceeding maximum gas limit when protectionInfo array is too large

Blueberry

Blueberry

321.23 USDC • 2 total findings • Sherlock • peanuts

#27

medium

latestRoundData() has no check for round completeness

medium

IchiLpOracle will malfunction if token0 or token1 decimal is not 18

Jan '23

Popcorn contest

Popcorn contest

239.37 USDC • 3 total findings • Code4rena • peanuts

#51

high

First vault depositor can steal other's assets

high

Staking rewards can be drained

high

Incorrect Reward Duration After Change in Reward Speed in MultiRewardStaking

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

169.56 USDC • 4 total findings • Code4rena • peanuts

#25

high

Protocol fees can be withdrawn multiple times in `Erc20Quest`

medium

Funds can be stuck due to wrong order of operations

medium

Users may not claim Erc1155 rewards when the Quest has ended

medium

User may loose rewards if the receipt is minted after quest end time

Cooler

Cooler

0.00 USDC • 1 total finding • Sherlock • peanuts

#31

high

Use safeTransfer and safeTransferFrom instead of transfer and transferFrom for ERC20 contracts

Ondo Finance contest

Ondo Finance contest

2,553.37 USDC • 1 total finding • Code4rena • peanuts

#7

high

Loss of user funds when completing CASH redemptions

Reserve contest

Reserve contest

121.59 USDC • Code4rena • peanuts

#26

Biconomy - Smart Contract Wallet contest

Biconomy - Smart Contract Wallet contest

609.55 USDC • 3 total findings • Code4rena • peanuts

#21

medium

SmartAccount.sol is intended to be upgradable but inherits from contracts that contain storage and no gaps

medium

methods used by EntryPoint has `onlyOwner` modifier

medium

Griefing attacks on `handleOps` and `multiSend` logic

UXD Protocol

UXD Protocol

690.16 USDC • 4 total findings • Sherlock • peanuts

#12

high

Anyone can call PerpDepository.rebalance()

medium

PerpDepository._rebalanceNegativePnlWithSwap uses wrong parameter in quoteAmount.fromDemicalToDecmial()

medium

PerpDepository.getDebtValue() is not used or checked when redeeming collateral for UXD

medium

Clearing house fees are stored in PerpDepository() but not paid

Dec '22

GoGoPool contest

GoGoPool contest

36.62 USDC • 2 total findings • Code4rena • peanuts

#71

high

Inflation of ggAVAX share price by first depositor

medium

Coding logic of the contract upgrading renders upgrading contracts impractical

Tigris Trade contest

Tigris Trade contest

1.15 USDC • 1 total finding • Code4rena • peanuts

#64

medium

Centralization risks: owner can freeze withdraws and use timelock to steal all funds

Nov '22

Redacted Cartel contest

Redacted Cartel contest

25.32 USDC • 1 total finding • Code4rena • peanuts

#50

high

Underlying assets stealing in `AutoPxGmx` and `AutoPxGlp` via share price manipulation

Buffer Finance

Buffer Finance

6.52 USDC • 1 total finding • Sherlock • peanuts

#12

medium

Unsafe usage of ERC20 .transfer

LSD Network - Stakehouse contest

LSD Network - Stakehouse contest

52.03 USDC • Code4rena • peanuts

#52

SIZE contest

SIZE contest

44.29 USDC • Code4rena • peanuts

#34

Debt DAO contest

Debt DAO contest

115.92 USDC • 1 total finding • Code4rena • peanuts

#40

medium

address.call{value:x}() should be used instead of payable.transfer()

Oct '22

Rage Trade

Rage Trade

149.37 USDC • 1 total finding • Sherlock • peanuts

#6

medium

First depositor of sGLP token can break share calculations

Inverse Finance contest

Inverse Finance contest

34.01 USDC • 2 total findings • Code4rena • peanuts

#44

medium

Protocol withdrawals of collateral can be unexpectedly locked if governance sets the `collateralFactorBps` to 0.

medium

Chainlink oracle data feed is not sufficiently validated and can return stale `price`

Astaria

Astaria

76.64 USDC • 3 total findings • Sherlock • peanuts

#23

high

Bidder's payment is not refunded if Auction is cancelled prematurely via cancelAuction()

medium

AuctionHouse firstBidTime is set to block.timestamp which breaks the calculation of the Auction's total duration

medium

The calculation of extended Auction timing when a bidder calls createBid() is incorrect

Holograph contest

Holograph contest

192.76 USDC • 1 total finding • Code4rena • peanuts

#27

medium

Wrong slashing calculation rewards for operator that did not do his job

3xcalibur contest

3xcalibur contest

156.37 USDC • Code4rena • peanuts

#23

Juicebox contest

Juicebox contest

37.88 USDC • Code4rena • peanuts

#18

Union Finance

Union Finance

70.35 USDC • 1 total finding • Sherlock • peanuts

#19

medium

Vouchers that vouches first may not get their stake locked or unlocked sequentially according to updateLocked() if cancelVouch() is called

Sep '22

Frax Ether Liquid Staking contest

Frax Ether Liquid Staking contest

12.99 USDC • Code4rena • peanuts

#73

VTVL contest

VTVL contest

28.69 USDC • 1 total finding • Code4rena • peanuts

#64

medium

Supply cap of VariableSupplyERC20Token is not properly enforced

Y2k Finance contest

Y2k Finance contest

16.18 USDC • Code4rena • peanuts

#53

PartyDAO contest

PartyDAO contest

35.35 USDC • Code4rena • peanuts

#67