https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/7a398c4c-d673-4b98-bef9-a777202e15fb.jpg

pengun

Security Researcher

#HMP Hide Me, Please Genesis OG #DSC 🟨

Contact Me

High

46

Total

Medium

30

Total

$5.41K

Total Earnings

#731 All Time

27x

Payouts

silver

1x

2nd Places

regular

2x

Top 10

regular

11x

Top 25

All

Sherlock

Code4rena

CodeHawks

Jul '24

TraitForge

TraitForge

0 USDC • 2 total findings • Code4rena • PENGUN

#89

high

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

high

Wrong minting logic based on total token count across generations

Munchables

Munchables

29.25 USDC • 2 total findings • Code4rena • PENGUN

#43

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

high

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

MakerDAO Endgame

MakerDAO Endgame

748.79 USDC • Sherlock • pengun

#64

May '24

Munchables

Munchables

0.01 USDC • 2 total findings • Code4rena • PENGUN

#16

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

high

Invalid validation in _farmPlots function allowing a malicious user repeated farming without locked funds

Apr '24

NOYA

NOYA

16.09 USDC + NOYA stars • 4 total findings • Code4rena • PENGUN

#87

high

`executeWithdraw` may be blocked if any of the users are blacklisted from the `baseToken`

high

`NoyaValueOracle.getValue` returns an incorrect price when a multi-token route is used

medium

The total deposit amount limit in `AccountingManager.sol` can be bypassed

medium

`depositQueue.queue` in `AccountingManager` can be flooded causing a DoS

Jan '24

Salty.IO

Salty.IO

569.32 USDC • 7 total findings • Code4rena • PENGUN

#22

high

User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated

medium

Attacker Can Inflate LP Position Value To Create a Bad Debt Loan

medium

formPOL lacks slippage and deadline protection

medium

Attacker can take advantage of Chainlink price not occuring within it's 60 minute heartbeat to make PriceAggregator calls fail

medium

Adversary can prevent updating price feed addresses by creating poisonous proposals ending in `_confirm`

medium

DOS of proposals by abusing ballot names without important parameters

medium

Reusing a SALT that has already been used for voting can allow a malicious proposal to pass and compromise the protocol.

Curves

Curves

2.2 USDC • 4 total findings • Code4rena • PENGUN

#117

high

Attack to make ````CurveSubject```` to be a ````HoneyPot````

high

Unauthorized Access to setCurves Function

medium

onBalanceChange causes previously unclaimed rewards to be cleared

medium

If a user sets their curve token symbol as the default one plus the next token counter instance it will render the whole default naming functionality obsolete

Dec '23

The Standard

The Standard

0.08 USDC • 2 total findings • CodeHawks • pengun

#101

high

Rewards can be drained because of lack of access control

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

Ethereum Credit Guild

Ethereum Credit Guild

195.84 USDC • 3 total findings • Code4rena • PENGUN

#57

high

Users staking via the `SurplusGuildMinter` can be immediately slashed when staking into a gauge that had previously incurred a loss

medium

`totalBorrowedCredit` can revert, breaking gauges.

medium

Anyone can prolong the time for the rewards to get distributed

Nov '23

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

208.48 USDC • 2 total findings • Code4rena • PENGUN

#16

medium

No slippage protection for Market functions

medium

Users will lose rewards when buying new tokens if they already own some tokens

Kelp DAO | rsETH

Kelp DAO | rsETH

1,045.58 USDC • 2 total findings • Code4rena • PENGUN

#5

high

Possible arbitrage from Chainlink price discrepancy

medium

Lack of slippage control on LRTDepositPool.depositAsset

Oct '23

NextGen

NextGen

37.14 USDC • 4 total findings • Code4rena • PENGUN

#68

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

high

Attacker can reenter to mint all the collection supply

high

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

medium

On a Linear or Exponential Descending Sale Model, a user that mint on the last `block.timestamp` mint at an unexpected price.

Ethena Labs

Ethena Labs

4.52 USDC • Code4rena • PENGUN

#40

Sep '23

Allo V2

Allo V2

145.50 USDC • 5 total findings • Sherlock • pengun

#39

high

Infinite Voting in QVSimpleStrategy

medium

CREATE3 is not available in the zkSync Era.

medium

Malicious user can split the vote in QVBaseStrategy to get more votes.

medium

RFPSimpleStrategy's _distribute implementation is incorrect

medium

Fee-on-transfer not supported in fundPool

Centrifuge

Centrifuge

50.43 USDC • 1 total finding • Code4rena • PENGUN

#31

medium

```trancheTokenAmount``` should be rounded UP when proceeding to a withdrawal or previewing a withdrawal.

Aug '23

Cooler Update

Cooler Update

171.61 USDC • 2 total findings • Sherlock • pengun

#12

high

A malicious user can delete a loan that `defaults` with `unclaimed`, causing the lender to lose the debt token.

medium

A malicious lender can increase a borrower's debt.

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

107.74 USDC • 8 total findings • CodeHawks • pengun

#39

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

During refinance() new Pool balance debt is subtracted twice

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Stealing any loan opening for auction through others' lending pool

high

Fee on transfer tokens will cause users to lose funds

high

update() not getting called right after a WETH amount has been sent will cause users to lose staking rewards

medium

The `borrow` and `refinance` functions can be front-run by the pool lender to set high interest rates

medium

Fixed fee level is used when swap tokens on Uniswap

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

65.76 USDC • 4 total findings • CodeHawks • pengun

#30

high

Theft of collateral tokens with fewer than 18 decimals

high

Liquidation Is Prevented Due To Strict Implementation of Liqudation Bonus

medium

staleCheckLatestRoundData() does not check the status of the Arbitrum sequencer in Chainlink feeds.

medium

All of the USD pair price feeds doesn't have 8 decimals

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

5.60 USDC • 2 total findings • CodeHawks • pengun

#81

medium

[H-01] Lack of emergency withdraw function when no arbiter is set

gas

Add an optional deadline parameter for dispute process

Tokensoft

Tokensoft

223.98 USDC • 3 total findings • Sherlock • pengun

#11

high

Unrestricted Access to initializeDistributionRecord Allows Manipulation of Voting Power

medium

Incomplete Fee Setup in CrosschainDistributor.sol Leads to Inoperative Claims

medium

Vote Factor Alteration During Airdrop Leads to Unfair Voting Power Allocation

Tokemak

Tokemak

469.68 USDC • 6 total findings • Sherlock • pengun

#31

high

A malicious user can prevent rewards from being distributed for a Convex `destinationVault`.

high

`LiquidationRow.liquidateVaultsForToken` is not working correctly.

high

`rewardPerToken` calculation is incorrect, resulting in a smaller distribution of the user's reward than intended.

high

LiquidationRow's `queueNewRewards` does not work due to double spending of `queueNewRewards`.

high

LMPVault.sol: Incorrect calculation of `idleIncrease` in `_withdraw`.

high

LMPVaultRouterBase: `mint`, `deposit` will be double-paid when paid with `ETH`, and the excess can be stolen.

Beam

Beam

96.58 USDC • Sherlock • pengun

#20

Jun '23

Unstoppable

Unstoppable

724.50 USDC • 4 total findings • Sherlock • pengun

#12

high

Vault.vy: Malicious user can create bad debt and steal the protocol's funds

high

Vault.vy: Faulty Interest Calculation in Vault.vy due to Improper Update Sequence

high

Dca.vy: Stealing User Funds Provided for DCA by Creating a New Pool and Manipulating Price

medium

Vault.vy: Potential Risk of Stale Data from Oracle due to Extended Freshness Threshold

Symmetrical

Symmetrical

167.15 USDC • 1 total finding • Sherlock • pengun

#28

high

Absence of Signature Expiry Check in LibMuon.verifyPrices()

May '23

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

89.44 USDC • 5 total findings • Sherlock • pengun

#22

high

Missing Permission Check in USSD.sol Allows Unauthorized Minting and Burning of USSD Tokens

high

Wrong Calculation of Collateral Selling Amount in USSDRebalancer.sol Impairs Price Defense During Depagged State

high

Incorrect Configuration of DAIEthOracle in StableOracleDAI and StableOracleWBGL Contract

high

Incorrect Decimal Setting in StableOracleDAI Contract for DAI/ETH Price Retrieval

high

Incorrect Calculation of Return Value in StableOracleDAI's getPriceUSD Function

DODO Margin Trading

DODO Margin Trading

116.10 USDC • 1 total finding • Sherlock • pengun

silver

high

Griefing attack vulnerability in MarginTrading.sol

Footium

Footium

120.87 USDC • 1 total finding • Sherlock • pengun

#20

high

FootiumEscrow.sol's approve allows you to seize club assets after selling clubs.