https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/9ecef7ed-1da7-4a25-b2e6-b67cff0d9a41.jpg

qckhp

Security Researcher

web3 security researcher, bug bounty hunter.

Contact Me

High

16

Total

Medium

4

Total

$2.46K

Total Earnings

#949 All Time

6x

Payouts

regular

1x

Top 10

regular

4x

Top 25

regular

4x

Top 50

All

Sherlock

Cantina

CodeHawks

Feb '24

opal-contracts

opal-contracts

369.68 USDC • 4 total findings • Cantina • qckhp

#23

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

222.29 USDC • 11 total findings • CodeHawks • qckhp

#16

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

Borrower can use Refinance to cancel auctions so they can extend their loan indefinitely

high

During refinance() new Pool balance debt is subtracted twice

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Using forged/fake lending pools to steal any loan opening for auction

high

Stealing any loan opening for auction through others' lending pool

high

Token spending by Uniswap router doesn't get approved

high

A pool lender can fully drain another user's pool by abusing `buyLoan`

medium

Lender contract can be drained by re-entrancy in `refinance` (collateral)

gas

Save gas for collecting protocol fees and interests

gas

Lack of pause pool function in Lender contract

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

3.47 USDC • 1 total finding • CodeHawks • qckhp

#90

gas

Add an optional deadline parameter for dispute process

Jun '23

Hubble Exchange

Hubble Exchange

349.52 USDC • 1 total finding • Sherlock • qckhp

#22

high

Malicious user can DOS vUSD withdrawals

DODO V3

DODO V3

1,518.71 USDC • 2 total findings • Sherlock • qckhp

#9

high

Possible to buy tokens from other user funds who approved DODOApprove contract

medium

No check if Arbitrum Sequencer is active for oracle

May '23

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

0.44 USDC • 4 total findings • Sherlock • qckhp

#86

high

Lack of access control for minting USSD

high

Rebalance function can be manipulated by flashloan

high

No slippage protection in USSD UniV3SwapInput function

medium

Chainlink oracle data feed can be outdated yet used anyway