https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/57f4d024-ab48-41bb-ad2c-3eaaad46c51f.jpg

t0x1c

Security Researcher

I weed out t0x1c bugs from codebases. Since 2007. || Portfolio: https://github.com/t0x1cC0de/int0x1cated-Earnings-and-Progress

Contact Me

High

27

Total

Medium

2

Solo

62

Total

$55.49K

Total Earnings

#162 All Time

27x

Payouts

silver

3x

2nd Places

bronze

3x

3rd Places

regular

16x

Top 10

All

Sherlock

Code4rena

CodeHawks

Apr '25

Aegis.im YUSD

Aegis.im YUSD

45.94 OP • 1 total finding • Sherlock • t0x1c

#4

high

User pays no fee while redeeming due to order of operations

Mar '25

Nudge.xyz

Nudge.xyz

2,258.16 USDC • 2 total findings • Code4rena • t0x1c

bronze

medium

Unauthorized Reallocation in `NudgeCampaign::handleReallocation` and Reward Disruption Vulnerability in `NudgeCampaign::invalidateParticipations`

medium

Not verifying that transaction initiator is the actual participator allows malicious user to allocate full reward as Uniswap V2 pool

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

314.72 USDC • Sherlock • t0x1c

silver
Crestal Network

Crestal Network

2.37 USDC • 1 total finding • Sherlock • t0x1c

#11

medium

Request gets permanently stuck if worker does not deploy

Symmio, Staking and Vesting

Symmio, Staking and Vesting

48.59 USDC • 3 total findings • Sherlock • t0x1c

#12

medium

Reward rate can be diluted by attacker

medium

Use of initializer modifier instead of onlyInitializing in Vesting.sol will cause reverts for more than one SymmVesting deployments

medium

Incorrect constraint in resetVestingPlans() blocks admin and users from using acceptable amounts

Feb '25

Usual Labs

Usual Labs

3,880.85 USDC • Sherlock • t0x1c

#4

Rova

Rova

0.04 USDC • 1 total finding • Sherlock • t0x1c

bronze

medium

Min and max user token allocation checked incorrectly inside updateParticipation()

Liquidity Management

Liquidity Management

1,467.09 usdc • 5 total findings • CodeHawks • t0x1c

#5

high

If users withdraw while a position is in loss, the whole PNL of the position to their withdrawal amount instead of just their share of it.

medium

getExecutionGasLimit() reports a lower gas limit due to gasPerSwap miscalculation

medium

User may withdraw more than expected if ADL event happens

low

Protocol Recovery Mechanism at Risk Due to Unhandled Token Transfer Failures

low

`_withdraw` function uses `shortTokenPrice.max` instead of `shortTokenPrice.min` when computing negative PnL adjustment, leading to underestimation of losses and excessive collateral withdrawal

Jan '25

Liquid Ron

Liquid Ron

0.03 USDC • 2 total findings • Code4rena • t0x1c

#10

high

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

IQ AI

IQ AI

915.76 USDC • 1 total finding • Code4rena • t0x1c

#5

medium

Attacker can DOS liquidity migration in LiquidityManager.sol

Plaza Finance

Plaza Finance

361.36 USDC • 5 total findings • Sherlock • t0x1c

#22

high

Attacker can exploit getCreateAmount() to mint more than expected tokens

high

Protocol loses fee because claimFees() does not claim the accumulated fees as promised

medium

PoolSaleLimit can be breached in auctions as fee is not accounted for in calculations

medium

Flash loan can be used to breach PoolSaleLimit in auctions

medium

Auction can fail if USDC blacklists user after bid placement

Dec '24

Numa

Numa

7,318.30 USDC • 2 total findings • Sherlock • t0x1c

bronze

medium

Incorrect liquidation mechanics either causes revert on liquidation due to insufficient seizeTokens or causes transition into bad debt

medium

Removal of closeFactorMantissa & maxClose constraints in deprecated markets allows attack vector to worsen protocol's health

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

6.03 OP • 5 total findings • Sherlock • t0x1c

#31

high

OrderID generated by generatedOrderId() may not be unique and can overwrite existing order, causing funds to be lost

high

Funds can be stolen via modifying cancelled orders

high

Attacker can delete other user's orders due to lack of reentrancy protection in cancelOrder()

medium

performUpkeep() may fail when tokenIn is USDT due to allowance change from non-zero to non-zero value inside `execute()`

medium

PythOracle::currentValue() will always revert for prices which are not stale

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

1,236.80 USDC • 3 total findings • Sherlock • t0x1c

#4

high

Bonding curve logic can be exploited to pay less for buying votes

high

Attacker can steal considerable portion of fee by vouching in two steps instead of one

medium

No slippage protection in `sellVotes()`

Apr '24

Renzo

Renzo

156.78 USDC • 6 total findings • Code4rena • t0x1c

#33

high

Incorrect withdraw queue balance in TVL calculation

high

Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swaps

medium

Pending withdrawals prevent safe removal of collateral assets

medium

Not handling the failure of cross chain messaging

medium

Lack of slippage and deadline during withdraw and deposit

medium

Withdrawals and Claims are meant to be pausable, but it is not possible in practice

Zivoe

Zivoe

701.50 USDC • 4 total findings • Sherlock • t0x1c

#16

high

totalSupply is incorrectly calculated during revokeVestingSchedule()

high

depositReward() function reduces rewardRate incorrectly causing delayed reward distribution and can be used by a griefer

medium

OCL_ZVE::forwardYield() is susceptible to price manipulation attack due to the logic inside fetchBasis()

medium

distributeYield() calls earningsTrancheuse() with outdated emaSTT & emaJTT while calculating senior & junior tranche yield distributions

Mar '24

Taiko

Taiko

19,343.85 USDC • 8 total findings • Code4rena • t0x1c

silver

high

Validity and contests bond ca be incorrectly burned for the correct and ultimately verified transition

medium

Invocation delays are not honoured when protocol unpauses

medium

Proposers would choose to avoid higher tier by exploiting non-randomness of parameter used in getMinTier()

medium

The decision to return the liveness bond depends solely on the last guardian

medium

Incorrect __Essential_init() function is used in TaikoToken making snapshooter devoid of calling snapshot()

medium

Bridge watcher can forge arbitrary message and drain bridge

medium

retryMessage unable to handle edge cases.

medium

Malicious caller of `processMessage()` can pocket the fee while forcing `excessivelySafeCall()` to fail

Feb '24

Wise Lending

Wise Lending

7,145.11 USDC • 2 total findings • Code4rena • t0x1c

#9

high

Exploitation of the receive Function to Steal Funds

medium

User's attempt to deposit & withdraw reverts due to the calculation style inside `_calculateShares()`

AI Arena

AI Arena

84.47 USDC • 8 total findings • Code4rena • t0x1c

#63

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

Fighters cannot be minted after the initial generation due to uninitialized `numElements` mapping

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

medium

Can mint NFT with the desired attributes by reverting transaction

medium

Constraints of dailyAllowanceReplenishTime and allowanceRemaining during mint() can be bypassed by using alias accounts & safeTransferFrom()

medium

DoS in `MergingPool::claimRewards` function and potential DoS in `RankedBattle::claimNRN` function if called after a significant amount of rounds passed.

Jan '24

Salty.IO

Salty.IO

5,264.15 USDC • 10 total findings • Code4rena • t0x1c

silver

medium

Incorrect calculation to check remaining ratio after reward in StableConfig.sol

medium

Incorrect assumption in PoolMath.sol can cause underflow when zapping is used

medium

StakingRewards pools are not given their promised share of rewards due to incorrect calculation

medium

Minimium Collateral Check Can Be Bypassed

medium

Suboptimal arbitrage implementation

medium

changeWallets() can be confirmed immediately after proposalWallets() by manipulating activeTimelock beforehand

medium

Ballots not yet past their deadline are incorrectly looped too by tokenWhitelistingBallotWithTheMostVotes()

medium

Adversary can prevent updating price feed addresses by creating poisonous proposals ending in `_confirm`

medium

SALT staker can get extra voting power by simply unstaking their xSALT

medium

Remove Liquidity has missing reserve1 DUST check, which can make reserve1 to be less than DUST

Dec '23

The Standard

The Standard

953.09 USDC • 11 total findings • CodeHawks • t0x1c

#6

high

Rewards can be drained because of lack of access control

high

Looping over unbounded `pendingStakes` array can lead to permanent DoS and frozen funds

medium

No incentive to liquidate small positions could result in protocol going underwater

low

Removal of approved token from token manager can lead to unintended liquidation of vaults

low

`costInEuros` calculation will incur precision loss due to division before multiplication

low

Anyone with TST tokens can monitor the mempool and frontrun mint/burn functions to get EUROs rewards without even staking.

low

Lack of Minimum Amount Check in `SmartVaultV3::mint`, `SmartVaultV3::burn`, and `SmartVaultV3::swap` Can Result in Loss of Fees

low

Griefer can deny holders of their fair share of fees

low

Users with Negligible TST Holdings Might Not Receive Their Share of EUROs Fees

low

Incorrect value returned by position() function

low

User can get liquidated due to incorrect calculateMinimumAmountOut()

Nov '23

Canto Application Specific Dollars and Bonding Curves for 1155s

Canto Application Specific Dollars and Bonding Curves for 1155s

1.37 USDC • 1 total finding • Code4rena • t0x1c

#31

medium

No slippage protection for Market functions

Oct '23

NextGen

NextGen

882.91 USDC • 5 total findings • Code4rena • t0x1c

#12

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

high

Attacker can reenter to mint all the collection supply

medium

On a Linear or Exponential Descending Sale Model, a user that mint on the last `block.timestamp` mint at an unexpected price.

medium

Bidder Funds Can Become Unrecoverable Due to 1 second Overlap in `participateToAuction()` and `claimAuction()`

medium

getPrice `salesOption` 2 can round down to the lower barrier, skipping the last time period

The Wildcat Protocol

The Wildcat Protocol

236 USDC • 1 total finding • Code4rena • t0x1c

#31

medium

`setAnnualInterestBips()` can be abused to keep a market's reserve ratio at 90%

Sep '23

DittoETH

DittoETH

2,668.85 USDC • 10 total findings • CodeHawks • t0x1c

#7

high

Users can avoid liquidation while being under the primary liquidation ratio if on the last short record

high

Flag can be overriden by another user

medium

Possible DOS on deposit(), withdraw() and unstake() for BridgeReth, leading to user loss of funds

medium

Rounding-up of user's `cRatio` causes loss for the protocol

medium

Primary short liquidation can not be completed in the last hour of the liquidation timeline

low

Loss of precision in `twapPriceInEther` due to division before multiplication

low

Lack of Duplicate ID Check in combineShorts Function

low

ETH cannot always be unstaked using Rocket Pool

low

Partial filled short does not reset liquidation flag after user gets fully liquidated, meaning healthy position will still be flagged if the rest of the order gets filled.

low

`Errors.InvalidTwapPrice()` is never invoked when `if (twapPriceInEther == 0)` is true

Aug '23

Sparkn

Sparkn

6.69 USDC • 3 total findings • CodeHawks • t0x1c

#66

medium

Malicious/Compromised organiser can reclaw all funds, stealing work from supporters

low

Owner can incorrectly pull funds from contests not yet expired

low

Centralization Risk for trusted organizers

Jul '23

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

189.39 USDC • 7 total findings • CodeHawks • t0x1c

#10

high

Theft of collateral tokens with fewer than 18 decimals

medium

DSC protocol can consume stale price data or cannot operate on some EVM chains

medium

Chainlink oracle will return the wrong price if the aggregator hits `minAnswer`

medium

Lack of fallbacks for price feed oracle

medium

Too many DSC tokens can get minted for fee-on-transfer tokens.

medium

Protocol can break for a token with a proxy and implementation contract (like `TUSD`)

low

Precision loss when calculating the health factor