Banner
https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/eb3cc2bb-a71e-46d1-bfa3-7bc3027d26b2.jpg

tjonair

Security Researcher

Contact Me

High

15

Total

Medium

15

Total

$4.05K

Total Earnings

#803 All Time

16x

Payouts

regular

3x

Top 10

regular

12x

Top 25

regular

13x

Top 50

All

Sherlock

Code4rena

Cantina

CodeHawks

Mar '25

Forte: Float128 Solidity Library

Forte: Float128 Solidity Library

508.37 USDC • 2 total findings • Code4rena • YouCrossTheLineAlfie

#10

high

Unwrapping while equating inside the `eq` function fails to account for the set `L_MATISSA_FLAG`

high

Sqrt function silently reverts the entire control flow when a packed float of 0 value is passed

Feb '25

THORWallet

THORWallet

0 USDC • 1 total finding • Code4rena • YouCrossTheLineAlfie

#10

medium

Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector

Jan '25

Liquid Ron

Liquid Ron

0.03 USDC • 2 total findings • Code4rena • YouCrossTheLineAlfie

#10

high

The calculation of `totalAssets()` could be wrong if `operatorFeeAmount` > 0, this can cause potential loss for the new depositors

medium

Incorrect Logic in onlyOperator Modifier Leading to Denial-of-Service for Authorized Operators Across Critical Functions

Aave v3.3

Aave v3.3

594.07 USDC • Sherlock • tjonair

#39

Ignite

Ignite

15.29 usdc • CodeHawks • tejaswarambhe

#21

Dec '24

QuantAMM

QuantAMM

961.88 op • 2 total findings • CodeHawks • tejaswarambhe

#13

low

Incorrect event emission can be done as a griefing attack

low

Inability to update `oracleStalenessThreshold` can lead to incorrect weight calculations

SecondSwap

SecondSwap

0.03 USDC • 2 total findings • Code4rena • YouCrossTheLineAlfie

#66

high

Users can claim more that their actual allotment

medium

Incorrect referral fee calculations

Autonomint Colored Dollar V1

Autonomint Colored Dollar V1

236.37 OP • 8 total findings • Sherlock • tjonair

#12

high

Accounting error in `Abond_Token::transferFrom` leads to broken functionality and loss of funds

high

Lack of input validation in `borrowing::redeemYields` allows anyone to redeem abond tokens as per someone else's `ethBacked` abond state

high

Re-usable signatures can lead to loss of funds.

high

Lack of expiry in signatures can lead to hoarding signatures for a profitable `CDS:withdraw` in future

high

Users can renew options at any time

medium

Malicious actor can DoS admin functions due to lack of access control

medium

Stale `lastEthprice` used in `borrowing::depositTokens` will artificially inflate/deflate the ratio

medium

Protected downside is not updated when `cds.getTotalCdsDepositedAmount() < downsideProtected`

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

279.56 USDC • 2 total findings • Sherlock • tjonair

#16

high

Users can game the voucher pool fees denying other vouchers from their rightful fees.

high

Incorrect `marketFunds` accounting will lead to loss of funds

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

136.64 USDC • Sherlock • tjonair

#24

Debita Finance V3

Debita Finance V3

544.58 USDC • 3 total findings • Sherlock • tjonair

#13

medium

Attacker can deny lend order cancellation for others leading to loss of funds.

medium

Improper handling of token order in `MixOracle.sol` will lead to bricked/incorrect price feed.

medium

Malicious actor can match his own lend and borrow order using a flash loan to inflate incentives at end of epoch.

Oct '24

Dria

Dria

73.95 USDC • 5 total findings • CodeHawks • tejaswarambhe

#18

high

Subtraction in `variance()` will revert due to underflow

medium

Request responses and validations can be mocked leading to extraction of fees and/or forcing other generators to lose their fees by making them outliers

medium

Unrestricted validation score range for validators in `LLMOracleCoordinator::validate`.

medium

Users can list assets with price < 1 ERC20 (ETH, WETH), leading to potential DoS vulnerability.

low

Incorrect Proof-of-Work Difficulty Check in `assertValidNonce` Function

stakeup-bloomv2

stakeup-bloomv2

44.31 USDC • 2 total findings • Cantina • unpluggedtj

#71

high

Finding not yet public.

medium

Finding not yet public.

Sep '24

Liquid Staking

Liquid Staking

615.93 USDC • 1 total finding • CodeHawks • tejaswarambhe

#17

medium

Griefer can permanently DOS all the deposits to the `StakingPool`

Aug '24

Winnables Raffles

Winnables Raffles

33.41 USDC • 2 total findings • Sherlock • tjonair

#22

high

H-1: Raffle termination due to insufficient checks in `WinnablesTicketManager::_checkShouldCancel`

medium

M-1: `setCCIPCounterpart()` allows admin to deny raffle winner from claiming prize.

Feb '24

AI Arena

AI Arena

2.06 USDC • 1 total finding • Code4rena • YouCrossTheLineAlfie

#157

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win