Banner
https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/2569e44d-ca45-4b1d-a92b-d6fc859bce92.jpg

santiellena

Security Researcher

Systems Engineering student from Argentina.

Contact Me

High

14

Total

Medium

1

Solo

15

Total

$4.98K

Total Earnings

#747 All Time

12x

Payouts

regular

7x

Top 10

regular

10x

Top 25

regular

11x

Top 50

All

Sherlock

Code4rena

Cantina

Apr '25

ZKP2P V2

ZKP2P V2

480.87 OP • Sherlock • santiellena

#7

Findings not publicly available for private contests.

Mar '25

Symmio, Staking and Vesting

Symmio, Staking and Vesting

0.00 USDC • 1 total finding • Sherlock • santiellena

#18

medium

Endless Reward Period Vulnerability with 1 wei Reward Additions

badger-ebtc-bsm

badger-ebtc-bsm

14.85 USDC • 1 total finding • Cantina • santiellena

#31

high

Finding not yet public.

Jan '25

Liquid Ron

Liquid Ron

0.03 USDC • 1 total finding • Code4rena • santiellena

#10

high

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

reserve-index-dtf

reserve-index-dtf

319.43 USDC • 1 total finding • Cantina • santiellena

#5

medium

Finding not yet public.

Dec '24

Autonomint Colored Dollar V1

Autonomint Colored Dollar V1

803.17 OP • 17 total findings • Sherlock • santiellena

#7

high

In `Borrowing::depositTokens`, `strikePrice` is introduced by the user but it should be calculated based on `strikePercent` to avoid manipulation

high

`Borrowing::redeemYields` debits `ABOND` from `msg.sender` but redeems to `user` using `ABOND.State` data from `user`

high

Downside protection never ends, so renewing options is useless and `CDS` depositors are unfairly rewarded.

high

Liquidation type 2 does not update the deposit as liquidated

high

`usdaPrice` and `usdtPrice` are parameters used to calculate redeemable amount of `USDT` that allow anyone to drain the vault

high

Race condition when updating `GlobalVariables` data across chains

high

`LiquidationType.TWO` incorrectly updates `liquidationInfo` as empty in `CDS` of the other chain in an index that was already used

high

Liquidation type 1 incorrectly refunds to `user` instead of `msg.sender` allowing `user` to DoS liquidations of his positions

high

`ABONDToken::transferFrom` does not work as intended and allows theft of ETH funds from `Treasury`

high

`usdaGainedFromLiquidation` is not increased in the liquidation flow leading to stuck funds

medium

In `Borrowing::depositTokens`, `ethVolatility` is introduced by user and hasn't sanity checks leading to incorrect option fees pricing

medium

`noOfBorrowers` in `Treasury` can be manipulated affecting cumulative rate calculation and DOSing exit of users from the system

medium

ETH sent to cover Layer Zero execution fees is not refunded

medium

Liquidation type 2 will always revert because never gets from `Treasury` the `amount` of `ETH` needed to deposit in `synthetix`

medium

Looping over unbounded `omniChainCDSLiqIndexToInfo` can lead to permanent DoS and frozen funds

medium

Lack of access control in `MultiSig::executeSetterFunction` allows DoS of setter functions in `Borrowing` and `CDS`

medium

Reentrant call in `Treasury::withdrawFromExternalProtocol` during the `Borrowing::redeemYields` flow allows theft of `Treasury` ETH

Nov '24

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

200.30 USDC • Sherlock • santiellena

#19

Jul '24

Exactly Protocol Update - Staking Contract

Exactly Protocol Update - Staking Contract

52.40 USDC • 1 total finding • Sherlock • santiellena

#7

medium

Rewards `rate` calculation leads to under-allocation and funds stuck

Apr '24

Exactly Protocol

Exactly Protocol

1,588.37 USDC • 2 total findings • Sherlock • santiellena

#7

medium

Liquidation does not prioritize lowest LTV tokens

medium

Fixed fees calculation rounds down allowing borrowers take debt with zero cost

Mar '24

Revert Lend

Revert Lend

838.82 USDC • 2 total findings • Code4rena • santiellena

#13

high

V3Utils.execute() does not have caller validation, leading to stolen NFT positions from users

high

`V3Vault.sol` permit signature does not check receiving token address is USDC

Feb '24

Jala Swap

Jala Swap

618.45 USDC • 2 total findings • Sherlock • santiellena

#4

medium

`JalaPair::_update` reverts due to underflow

medium

`permit` function not implemented on `JalaPair`

Jan '24

Salty.IO

Salty.IO

59.44 USDC • 1 total finding • Code4rena • santiellena

#86

medium

THE USER WHO WITHDRAWS LIQUIDITY FROM A PARTICULAR POOL IS ABLE TO CLAIM MORE REWARDS THAN HE DULY DESERVES BY CAREFULLY SELECTING A `decreaseShareAmount` VALUE SUCH THAT THE `virtualRewardsToRemove` IS ROUNDED DOWN TO ZERO