Banner
https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_4.png

roguereddwarf

Security Researcher

Contact Me

High

1

Solo

49

Total

Medium

9

Solo

63

Total

$186.33K

Total Earnings

#49 All Time

19x

Payouts

gold

5x

1st Places

silver

3x

2nd Places

bronze

1x

3rd Places

All

Sherlock

Code4rena

CodeHawks

Oct '23

Aloe

Aloe

33,392.41 USDC • 7 total findings • Sherlock • roguereddwarf

gold

high

Implied Volatility can be manipulated and takes a long time to recover, which can lead to bad debt

high

Oracle.sol: manipulation via increasing Uniswap V3 pool observationCardinality

high

Borrower.sol: Health check uses stale liabilities

medium

governor can permanently prevent withdrawals in spite of being restricted

medium

Couriers can be cheated out of earning fees due to frontrunning

medium

Lender.sol: Incorrect rewards accounting for RESERVE address in _transfer function

medium

Oracle.sol: observe function has overflow risk and should cast to uint256 like Uniswap V3 does

Jul '23

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

16.55 USDC • 2 total findings • CodeHawks • HollaDieWaldfee

#67

high

Theft of collateral tokens with fewer than 18 decimals

medium

Anyone can burn **DecentralizedStableCoin** tokens with `burnFrom` function

May '23

Perennial

Perennial

58,012.93 USDC • 6 total findings • Sherlock • roguereddwarf

gold

high

BalancedVault.sol: loss of funds + global settlement flywheel / user settlement flywheels getting out of sync

medium

Missing Sequencer Uptime Feed check can cause unfair liquidations on Arbitrum

medium

ChainlinkAggregator: binary search for roundId does not work correctly and Oracle can even end up temporarily DOSed

medium

Payoff definitions that can cross zero price are not supported

medium

BalancedVault.sol: Early depositor can manipulate exchange rate and steal funds

medium

BalancedVault.sol: claim can be impossible due to unsigned integer underflow

DODO Margin Trading

DODO Margin Trading

11,394.07 USDC • 2 total findings • Sherlock • roguereddwarf

gold

high

MarginTrading.sol: Missing flash loan initiator check allows attacker to open trades, close trades and steal funds

medium

MarginTrading.sol: The whole balance and not just the traded funds are deposited into Aave when a trade is opened

Mar '23

Asymmetry contest

Asymmetry contest

632.87 USDC • 7 total findings • Code4rena • HollaDieWaldfee

#13

high

Staking, unstaking and rebalanceToWeight can be sandwiched (Mainly rETH deposit )

high

Reth.sol: Withdrawals are unreliable and depend on excess RocketDepositPool balance which can brick the whole protocol

high

`WstEth` derivative assumes a ~1=1 peg of stETH to ETH

high

Price of sfrxEth derivative is calculated incorrectly

high

Users can fail to unstake and lose their deserved ETH because malfunctioning or untrusted derivative cannot be removed

medium

DoS due to external call failure

medium

Missing derivative limit and deposit availability checks will revert the whole `stake()` function

Y2K

Y2K

3,224.47 USDC • 12 total findings • Sherlock • roguereddwarf

bronze

high

Carousel: enlistInRollover function sets wrong rollover queue index in the case of updating an existing rollover which bricks the rollover functionality

high

Carousel: minting ERC1155 performs callback which can cause revert and brick rollover queue and deposit queue which leads to complete loss of funds in the deposit queue

high

Carousel: When a rollover is delisted it can prevent another rollover from being processed

high

Carousel.mintRollovers function loses all profit when rolling over

high

Carousel: Deposit fee can be bypassed

medium

ControllerPeggedAssetV2: `triggerEndEpoch` function can be called even if epoch is null epoch leading to loss of funds

medium

VaultFactoryV2.changeTreasury function does not set correct treasury

medium

VaultV2: `epochHasNotStarted` and `epochHasStarted` modifiers are not well-defined which can lead to loss of user funds

medium

VaultV2: Ongoing epoch can be managed by non-whitelisted controller

medium

Carousel: emission tokens are lost if epoch has no deposits (NULL epoch)

medium

Carousel.mintRollovers function: relayerFee that is subtracted from assets is too high

medium

ControllerPeggedAssetV2: outdated price may be used which can lead to wrong depeg events

Taurus

Taurus

9,051.24 USDC • 4 total findings • Sherlock • roguereddwarf

gold

high

Protocol breaks with collateral that does not have 18 decimals

high

Missing input validation for _rewardProportion parameter allows keeper to escalate his privileges and pay back all loans

medium

SwapHandler.sol: Check that collateral token cannot be swapped is insufficient for tokens with multiple addresses

medium

BaseVault: liquidationSurcharge amount is too high if collateralToLiquidate gets capped

Feb '23

Hats

Hats

6,594.21 USDC • 11 total findings • Sherlock • roguereddwarf

silver

high

HatsSignerGateBase: signers can add / remove / swap signers which bypasses the HSG logic and can lead to multiple bad outcomes including DOS and increased control over Safe

high

HatsSignerGateBase: valid signer threshold can be bypassed because HSG checks signatures differently from Safe which allows exploitation

high

HatsSignerGate + MultiHatsSignerGate: more than maxSignatures can be claimed which leads to DOS in reconcileSignerCount

high

HatsSignerGateBase: reconcileSignerCount function might set threshold too high

high

Safe can no longer execute transactions when module other than HatsSignerCreate enables a module

high

Signers can backdoor the Safe by swapping modules to execute any transaction in the future without consensus

high

HatsSignerGateBase: _removeSigner function may revert so it is not possible to remove a signer

high

Hats.sol: linkedTreeRequests entry should be deleted when unlinking

medium

Hats.uri function can be DOSed by providing large details or imageURI string or cause large gas fees

medium

Hats.balanceOfBatch returns wrong result

medium

HatsSignerGateFactory: Should revert if there are more than 5 existing modules

OpenQ

OpenQ

288.27 USDC • 6 total findings • Sherlock • HollaDieWaldfee

#23

high

Attacker can deposit and refund NFT which leads to DOS in claim functionality

high

Attacker can fund bounty with malicious ERC20 and block payouts

high

Unbounded loop in BounyCore.getLockedFunds function leads to DOS in DepositManagerV1.refundDeposit function

medium

Anybody can fund bounty with worthless NFTs thereby not allowing any further NFT funding

medium

When tokenAddresses set has reached TOKEN_ADDRESS_LIMIT, tokens that are contained in the tokenAddresses set cannot be used for funding

medium

Remaining funds cannot be refunded after partial refund

Jan '23

RabbitHole Quest Protocol contest

RabbitHole Quest Protocol contest

271.96 USDC • 4 total findings • Code4rena • HollaDieWaldfee

#19

high

Protocol fees can be withdrawn multiple times in `Erc20Quest`

medium

Funds can be stuck due to wrong order of operations

medium

Users may not claim Erc1155 rewards when the Quest has ended

medium

User may loose rewards if the receipt is minted after quest end time

Drips Protocol contest

Drips Protocol contest

21,049.36 USDC • 1 total finding • Code4rena • HollaDieWaldfee

silver

high

Drips that end after the current cycle but before its creation can allow users to profit from squeezing

Cooler

Cooler

336.33 USDC • 4 total findings • Sherlock • HollaDieWaldfee

#9

high

Use safe ERC20 operations

high

Cooler: roll function should set `loan.rollable` to `false` when called

medium

Cooler: repay function can be front-run so borrowers transaction reverts

medium

Cooler: loan should start out not rollable

Reserve contest

Reserve contest

26,021.41 USDC • 7 total findings • Code4rena • HollaDieWaldfee

gold

high

Basket range formula is inefficient, leading the protocol to unnecessary haircut

medium

RecollateralizationLib: Dust loss for an asset should be capped at its low value

medium

BackingManager: rTokens might not be redeemable when protocol is paused due to missing token allowance

medium

attacker can prevent vesting for a very long time

medium

BackingManager: rsr is distributed across all rsr revenue destinations which is a loss for rsr stakers

medium

BasketHandler: Users might not be able to redeem their rToken when protocol is paused due to refreshBasket function

medium

StRSR: seizeRSR function fails to update rsrRewardsAtLastPayout variable

UXD Protocol

UXD Protocol

1,342.29 USDC • 5 total findings • Sherlock • HollaDieWaldfee

#10

high

PerpDepository: rebalance function is unusable with sqrtPriceLimitX96 parameter unequal 0 (slippage protection cannot be enabled)

high

If a user approves USDC to PerpDepository, anyone can call rebalance and rebalanceLite

medium

PerpDepository: _rebalanceNegativePnlWithSwap function deposits USDC amount denominated in 1e18 to vault

medium

PerpDepository: user can lose funds in _rebalanceNegativePnlLite function due to partial order execution

medium

PerpDepository: getDebtValue function uses wrong formula to calculate result

Dec '22

Papr contest

Papr contest

3,222.01 USDC • 4 total findings • Code4rena • HollaDieWaldfee

#4

high

Borrowers may earn auction proceeds without filling the debt shortfall

medium

PaprController.buyAndReduceDebt: msg.sender can lose paper by paying the debt twice

medium

`PaprController` pays swap fee in `buyAndReduceDebt`, not user

medium

Grieving attack by failing user's transactions

GoGoPool contest

GoGoPool contest

5,254.39 USDC • 13 total findings • Code4rena • HollaDieWaldfee

silver

high

MinipoolManager: node operator can avoid being slashed

high

Hijacking of node operators minipool causes loss of staked funds

high

node operator is getting slashed for full duration even though rewards are distributed based on a 14 day cycle

high

AVAX Assigned High Water is updated incorrectly

medium

TokenggAVAX: maxDeposit and maxMint return wrong value when contract is paused

medium

MinipoolManager: recordStakingError function does not decrease minipoolCount leading to too high GGP rewards for staker

medium

wrong reward distribution between early and late depositors because of the late syncRewards() call in the cycle, syncReward() logic should be executed in each withdraw or deposits (without reverting)

medium

slashing fails when node operator doesn't have enough staked `GGP`

medium

State Transition: Minipools can be created using other operator's AVAX deposit via recreateMinipool

medium

Inflation rate can be reduce by half at most if it get called every 1.99 interval.

medium

Bypass `whenNotPaused` modifier

medium

`requireNextActiveMultisig` will always return the first enabled multisig which increases the probability of stuck minipools

medium

Coding logic of the contract upgrading renders upgrading contracts impractical

Tigris Trade contest

Tigris Trade contest

1,790.07 USDC • 7 total findings • Code4rena • HollaDieWaldfee

#11

high

Malicious user can steal all assets in BondNFT

high

Lock.sol: assets deposited with Lock.extendLock function are lost

high

Not enough margin pulled or burned from user when adding to a position

medium

`safeTransferMany()` doesn't actually use safe transfer

medium

`executeLimitOrder()` modifies open-interest with a wrong position value

medium

Unreleased locks cause the reward distribution to be flawed in BondNFT

medium

Lock.sol: claimGovFees function can cause assets to be stuck in the Lock contract

Escher contest

Escher contest

1,530.63 USDC • 6 total findings • Code4rena • HollaDieWaldfee

#7

high

`LPDA` price can underflow the price due to bad settings and potentially brick the contract

high

`saleReceiver` and `feeReceiver` can steal refunds after sale has ended

medium

Sale contracts can be bricked if any other minter mints a token with an id that overlaps the sale

medium

Creator can still "cancel" a sale after it has started by revoking permissions in `OpenEdition` contract

medium

Escher721 contract does not have setTokenRoyalty function

medium

Use of `payable.transfer()` Might Render ETH Impossible to Withdraw

Nov '22

Isomorph

Isomorph

2,905.40 USDC • 4 total findings • Sherlock • HollaDieWaldfee

#4

high

Vault_Synths: false calculation of USD debt allows under-collateralized loans

high

Depositor.sol: Funds can be withdrawn from any Depositor contract leading to loss of rewards and funds

high

Depositor.sol: Allowing withdrawals when Depositor is approved is unsafe and can lead to loss of funds

medium

Virtual price is not updated correctly which leads to less interest that needs to be paid