https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/a90602b0-5d87-4fe7-9904-a2657b948a7e.jpg

sonny2k

Security Researcher

@CodeHawks janitor

Contact Me

High

1

Solo

16

Total

Medium

1

Solo

11

Total

$14.95K

Total Earnings

#431 All Time

10x

Payouts

silver

1x

2nd Places

bronze

2x

3rd Places

regular

5x

Top 10

All

Sherlock

Code4rena

CodeHawks

Hats Finance

Aug '24

Fjord Token Staking

Fjord Token Staking

0.19 USDC • 1 total finding • CodeHawks • sonny2k

#20

medium

[H-01] Auction tokens will be lost forever when auction ends without bids

Jul '24

Velocimeter

Velocimeter

2,963.48 USDC • 6 total findings • Sherlock • sonny2k

#5

high

_checkpoint_total_supply() can checkpoint before a timestamp is complete

high

Claimable gauge distributions are locked when killGaugeTotally is called

high

Voters who withdraw ve tokens risk losing gained bribes rewards

high

Griefing an account from getting votes delegated to it

medium

DOS can be caused by first liquidity provider of a stable pair

medium

Bribe and fee token emissions can be gamed by users

May '24

Metrom

Metrom

193 DAI • 1 total finding • Hats • sonny2k

bronze

medium

distributeRewards function allows duplicate campaigns to be submitted by the updater

Feb '24

Fenix Finance

Fenix Finance

10,000 USDC • 1 total finding • Hats • sonny2k

silver

high

First liquidity provider of a stable pair can DOS the pool

Jan '24

Telcoin Platform Audit

Telcoin Platform Audit

2.64 USDC • 1 total finding • Sherlock • sonny2k

#9

high

Removing the item in array without preserving the array index making other functions unusable in CouncilMember.sol: burn() and StakingRewardsManager.sol: removeStakingRewardsContract()

Dec '23

The Standard

The Standard

0.16 USDC • 2 total findings • CodeHawks • sonny2k

#96

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

medium

Missing deadline check allow pending transactions to be maliciously executed

Aug '23

Sparkn

Sparkn

6.85 USDC • 3 total findings • CodeHawks • sonny2k

#63

low

Owner can incorrectly pull funds from contests not yet expired

low

Lack of checking the existence of the Proxy contract

low

Insufficient validation leads to locking up prize tokens forever

Tangible Caviar

Tangible Caviar

0 USDC • Code4rena • sonny2k

#88

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

1,492.37 USDC • 19 total findings • CodeHawks • sonny2k

bronze

high

Lender contract can be drained by re-entrancy in `setPool`

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

During refinance() new Pool balance debt is subtracted twice

high

Borrower can bypass maxLoanRatio's configuration of a pool via buyLoan()

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Using forged/fake lending pools to steal any loan opening for auction

high

Fee on transfer tokens will cause users to lose funds

high

Borrower can prevent his/her loan from being liquidated

high

A pool lender can fully drain another user's pool by abusing `buyLoan`

medium

If a borrower or lender got blacklisted by asset contract, their collateral or loan funds can be permanently frozen with the pool

medium

No expiration deadline leads to losing a lot of funds

medium

Single-step process for critical ownership transfer is risky

medium

Lender contract can be drained by re-entrancy in `seizeLoan`

low

Lender fails to giveLoan because of inconsistent length between `loadIds` and `poolIds`

low

Griefing a lender with dust loans

gas

Multiple accesses of a mapping/array should use a local variable cache.

gas

+= and -= are more expensive

gas

Uncheck Arithmetic where overflow/underflow impossible

gas

Unnecessary If condition in update() of Staking.sol

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

286.68 USDC • 2 total findings • CodeHawks • sonny2k

#22

medium

Fee-on-transfer tokens aren't supported

medium

High - Funds can be lost if any participant is blacklisted