https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/b395552c-6cf2-459f-9e3d-f3c90ae781c9.jpg

qbs

Security Researcher

security researcher & smart contract auditor & DeFi enthusiast @zokyo_io

Contact Me

High

Total

Medium

Total

$1.36K

Total Earnings

#1142 All Time

13x

Payouts

1x

2nd Places

1x

Top 10

6x

Top 25

All

Sherlock

Code4rena

CodeHawks

Mar '24

Axis Finance

308.48 USDC • 2 total findings • Sherlock • qbs

#18

high

Possibility of bach auction cancellation at exact conclusion time

medium

Unwithdrawable prefunded balances in Fixed Price Auctions

Sep '23

Allo V2

343.85 USDC • 4 total findings • Sherlock • qbs

#20

high

Untracked voice credit allocation in QVSimpleStrategy

high

Recipient data may be manipulated through front-running

medium

Inaccurate pool value increase with use of fee-on-transfer tokens

medium

Excessive milestone distribution fails due to insufficient pool funds

Aug '23

Dopex

7.91 USDC • 2 total findings • Code4rena • qbs

#119

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

medium

`sync` function in `RdpxV2Core.sol` should be called in multiple scenarios to account for the balance changes that occurs

Tangible Caviar

5.8 USDC • Code4rena • qbs

#83

Jul '23

Beedle - Oracle free perpetual lending

40.63 USDC • 12 total findings • CodeHawks • qbs

#79

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Using forged/fake lending pools to steal any loan opening for auction

high

Attacker can steal a loan's collateral and break the protocol

high

Lender can Sandwich a borrower to seize his collateral

medium

The `borrow` and `refinance` functions can be front-run by the pool lender to set high interest rates

medium

No expiration deadline leads to losing a lot of funds

medium

Single-step process for critical ownership transfer is risky

medium

Fixed fee level is used when swap tokens on Uniswap

medium

Some ERC20 tokens would revert on zero value fee transfers.

low

Operator can prevent customers from borrowing from a given pool

gas

Don't use draft versions in production

CodeHawks Escrow Contract - Competition Details

0.00 USDC • 1 total finding • CodeHawks • qbs

#96

low

Constructor of `Escrow` should make sure that `buyer`, `seller`, `arbiter` are different from each other.

Tokensoft

78.59 USDC • 1 total finding • Sherlock • qbs

#14

medium

Lack of relayer fee payment

Beam

22.86 USDC • Sherlock • qbs

#39

Jun '23

Hubble Exchange

345.14 USDC • 1 total finding • Sherlock • qbs

#23

high

Denial of service in VUSD.processWithdrawals function

May '23

Iron Bank

0.00 USDC • 1 total finding • Sherlock • qbs

#25

medium

Chainlink's `latestRoundData` might return stale or incorrect results

USSD - Autonomous Secure Dollar

75.22 USDC • 6 total findings • Sherlock • qbs

#26

high

Lack of proper access control in `mintRebalancer` and `burnRebalancer` functions

high

Incorrect decimals handling for DAI/ETH price feed

high

Missing deadline check and hardcoded slippage in `UniV3SwapInput` function

high

The rebalancing decisions are based on manipulable spot price

medium

Minting exposes users to unlimited slippage

medium

Chainlink oracle return values are not handled properly

DODO Margin Trading

116.10 USDC • 1 total finding • Sherlock • qbs

high

Fund loss caused by an attacker who creates a flash loan with specified parameters and sets MarginTrading as the receiver.

Apr '23

Rubicon v2

12.48 USDC • 1 total finding • Code4rena • qbs

#102

medium

BathBuddy contract should implement methods to pause and unpause contract