https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/17920955-4a0d-4547-b17d-b8139af2be85.jpg

roccomania

Security Researcher

Blockchain Security Researcher Blockchain Developer | Open-Source Freedom Fighter

Contact Me

High

15

Total

Medium

16

Total

$1.45K

Total Earnings

#1201 All Time

14x

Payouts

regular

6x

Top 10

regular

11x

Top 25

regular

11x

Top 50

All

Sherlock

Code4rena

Cantina

CodeHawks

Immunefi

Jun '25

telcoin-network

telcoin-network

6.36 USDC • 1 total finding • Cantina • roccomania

#63

medium

Finding not yet public.

May '25

primev-validator-registry

primev-validator-registry

0.18 USDC • 1 total finding • Cantina • roccomania

#6

high

Finding not yet public.

Extrafi XLend

Extrafi XLend

414.91 OP • Sherlock • roccomania

#6

Findings not publicly available for private contests.

aave-aptos

aave-aptos

175.25 GHO • 1 total finding • Cantina • roccomania

#10

medium

Finding not yet public.

mystic-monorepo

mystic-monorepo

127.49 USDC • 6 total findings • Cantina • roccomania

#25

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Apr '25

Kinetiq

Kinetiq

634.15 USDC • 3 total findings • Code4rena • roccomania

#10

high

Buffer Silently Locks Staked HYPE in Contract Without Using Them For Withdrawals Or Providing A Way To Be Pulled Out Or Moved To L1

high

Mishandling of receiving HYPE in the StakingManager , lead to user can't confirm withdrawal and inflate the exchange ratio

medium

Inconsistent State Restoration in `cancelWithdrawal` Function

Audit Comp | Spectra Finance

Audit Comp | Spectra Finance

38 USDC • 1 total finding • Immunefi • roccomania

#23

medium

Finding not yet public.

Mar '25

Nudge.xyz

Nudge.xyz

0.08 USDC • 1 total finding • Code4rena • roccomania

#7

medium

Unauthorized Reallocation in `NudgeCampaign::handleReallocation` and Reward Disruption Vulnerability in `NudgeCampaign::invalidateParticipations`

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

2.59 USDC • Sherlock • roccomania

#73

Crestal Network

Crestal Network

0.01 USDC • 1 total finding • Sherlock • roccomania

#12

high

Unauthorized ERC20 Transfers in `Payment::payWithERC20` can lead to loss of funds

Symmio, Staking and Vesting

Symmio, Staking and Vesting

0.00 USDC • 1 total finding • Sherlock • roccomania

#18

medium

Lack of Access Control in `SymmStaking::notifyRewardAmount` Allows DoS via Reward Period Extension

Feb '25

Yieldoor

Yieldoor

16.24 USDC • 1 total finding • Sherlock • roccomania

#24

medium

The `Leverager::_getTokenIn` does not update the `path` after skip token causing indefinite loop and OOG

Core Contracts

Core Contracts

39.65 usdc • 16 total findings • CodeHawks • roccomania

#204

high

Multiple Delegation by Double Spending Boosts and Lack of Delegation Tracking in BoostController Contract

high

RAACNFT mint function receives funds to address(this) but has no way of withdrawing them

high

Users Can Overwrite Existing Locks in veRAACToken Resulting in Permanent Loss of Funds

high

Reward manipulation vulnerability in StabilityPool

high

Incorrect Reward Claim Logic in FeeCollector::claimRewards Causes Denial of Service

high

RToken's transfer function lead to loss of funds due to incorrect math

high

Users can borrow more assets than they have deposited as collateral

high

NFTs Get Permanently Locked in Stability Pool After Liquidation

medium

RToken.transferFrom() Does Not Scale User Balances Due to Stale Liquidity Index

medium

Workingsupply would always be overwritten in boostcontroller.sol impacting reward calculations

medium

Cordinated group of attacker can artificially lower quorum threshold during active proposals forcing malicious proposals to pass without true majority support.

medium

Incorrect boost calculation in `BoostController#_calculateBoost()` can be exploited to gain an unfair advantage in reward distribution

medium

Flawed Boost Multiplier Calculation Always Yields Maximum Boost

low

Limited veRaac Token Supply Triggers DoS, Hampering Proper Governance Participation.

low

`FeeCollector::updateFeeType` wrong fee share validation leads to impossible update for some fee types

low

Insufficient ETH Forwarding in Governance Execution Mechanism Causes Proposal Failures

Jan '25

Liquid Ron

Liquid Ron

0.03 USDC • 1 total finding • Code4rena • roccomania

#10

high

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors