https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/ca4fbde9-4fe1-44b5-b3d7-5436fba53d67.jpg

toshii

Security Researcher

bug huntoor

Contact Me

High

41

Total

Medium

36

Total

$20.46K

Total Earnings

#366 All Time

26x

Payouts

bronze

2x

3rd Places

regular

6x

Top 10

regular

17x

Top 25

All

Sherlock

Code4rena

CodeHawks

Jan '24

Salty.IO

Salty.IO

951.01 USDC • 10 total findings • Code4rena • Toshii

#16

high

When borrowers repay USDS, it is sent to the wrong address, allowing anyone to burn Protocol Owned Liquidity and build bad debt for USDS

high

User can evade `liquidation` by depositing the minimum of tokens and gain time to not be liquidated

high

First depositor can break staking-rewards accounting

high

First Liquidity provider can claim all initial pool rewards

medium

Attacker Can Inflate LP Position Value To Create a Bad Debt Loan

medium

Chainlink price feed uses BTC, not WBTC. In case of depegging, oracles will become easier to manipulate.

medium

SALT staker can get extra voting power by simply unstaking their xSALT

medium

Unwhitelisting does not clear _arbitrageProfits, so re-whitelisting may result in an unfair distribution of liquidity rewards.

medium

Absence of autonomous mechanism for `selling collateral assets in the external market in exchange for USDS` will cause undercollateralization during market crashes and will cause USDS to depeg.

medium

If there is only one USDS borrower, he can never be liquidated

Dec '23

stake.link

stake.link

976.05 USDC • 2 total findings • CodeHawks • toshii

#5

high

A user can steal an already transfered and bridged reSDL lock because of approval

medium

Attacker can exploit lock update logic on secondary chains to increase the amount of rewards sent to a specific secondary chain

Oct '23

NextGen

NextGen

265.54 USDC • 3 total findings • Code4rena • Toshii

#39

high

Attacker can drain all ETH from AuctionDemo when block.timestamp == auctionEndTime

high

Attacker can reenter to mint all the collection supply

high

Adversary can block `claimAuction()` due to push-strategy to transfer assets to multiple bidders

The Wildcat Protocol

The Wildcat Protocol

1,027.05 USDC • 3 total findings • Code4rena • Toshii

#4

high

Borrower has no way to update `maxTotalSupply` of `market` or close market.

medium

Function WildcatMarketController.setAnnualInterestBips allows for values outside the factory range

medium

When a batch of withdrawals expires, that batch is often underpaid their owed interest

Sep '23

Allo V2

Allo V2

2.77 USDC • 3 total findings • Sherlock • toshii

#64

high

Whitelisted allocators in QVSimpleStrategy can vote an infinite number of times (~inf voice credits), breaking the voting system

medium

When `useRegistryAnchor` is true, RFPSimpleStrategy is bricked and all calls to `_registerRecipient` will revert

medium

Voice credits cast are incorrectly updated for recipients, allowing allocators to game voting to increase votes for their chosen recipient

DittoETH

DittoETH

217.86 USDC • 2 total findings • CodeHawks • toshii

#27

high

Users Lose Funds and Market Functionality Breaks When Market Reachs 65k Id

low

LibOracle fails to check the fidelity of price data from WETH/USDC pool, which can lead to price manipulation

Aug '23

Dopex

Dopex

7,140.85 USDC • 8 total findings • Code4rena • Toshii

bronze

high

The settle feature will be broken if attacker arbitrarily transfer collateral tokens to the PerpetualAtlanticVaultLP

high

Improper precision of strike price calculation can result in broken protocol

high

The peg stability module can be compromised by forcing lowerDepeg to revert.

high

Users can get immediate profit when deposit and redeem in `PerpetualAtlanticVaultLP`

medium

_curveSwap: getDpxEthPrice and getEthPrice is in wrong order

medium

reLP() mintokenAAmount the calculations are wrong.

medium

Bonding WETH discounts can drain WETH reserves of RdpxV2Core contract to zero

medium

Can not withdraw RDPX if WETH withdrawn is zero

Sparkn

Sparkn

199.37 USDC • 2 total findings • CodeHawks • toshii

#24

high

The same signature can be used in different `distribution` implementation causing that the caller who owns the signature, can distribute on unauthorized implementations

low

Owner can incorrectly pull funds from contests not yet expired

Tangible Caviar

Tangible Caviar

278.26 USDC • Code4rena • Toshii

#34

Jul '23

Beedle - Oracle free perpetual lending

Beedle - Oracle free perpetual lending

75.14 USDC • 8 total findings • CodeHawks • toshii

#53

high

Sandwich attack to steal all ERC-20 tokens in the Fees contract

high

During refinance() new Pool balance debt is subtracted twice

high

[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control

high

Fee on transfer tokens will cause users to lose funds

high

Forcing a borrower to pay a huge debt via the giveLoan()

high

WETH staking rewards accumulated before the first staker deposits remain unutilized and stuck in the `Staking` contract

medium

The `borrow` and `refinance` functions can be front-run by the pool lender to set high interest rates

medium

Fixed fee level is used when swap tokens on Uniswap

Foundry DeFi Stablecoin CodeHawks Audit Contest

Foundry DeFi Stablecoin CodeHawks Audit Contest

3.10 USDC • 2 total findings • CodeHawks • toshii

#107

high

Theft of collateral tokens with fewer than 18 decimals

medium

Too many DSC tokens can get minted for fee-on-transfer tokens.

CodeHawks Escrow Contract - Competition Details

CodeHawks Escrow Contract - Competition Details

269.15 USDC • 3 total findings • CodeHawks • toshii

#23

medium

Fee-on-transfer tokens aren't supported

medium

[H-01] Lack of emergency withdraw function when no arbiter is set

gas

Add methods to add/update arbiter in existing Escrow contracts

Axelar Network

Axelar Network

755.24 USDC • 2 total findings • Code4rena • Toshii

#15

medium

Gas fees are refunded to a wrong address when transferring tokens via `InterchainToken.interchainTransferFrom`

medium

Proposal requiring native coin transfers cannot be executed

Dinari

Dinari

1,823.11 USDC • 1 total finding • Sherlock • toshii

#5

high

Users can circumvent blacklist to continue to receive and send tokens

Jun '23

Lybra Finance

Lybra Finance

841.64 USDC • 5 total findings • Code4rena • Toshii

#13

medium

Incorrect function call in LybraRETHVault's getAssetPrice

medium

Understatement of `poolTotalPeUSDCirculation` amounts due to incorrect accounting after function `_repay` is called

medium

Incorrect Reward Distribution Calculation in `ProtocolRewardsPool`

medium

`stakerewardV2pool.withdraw()` should check the user's boost lock status.

medium

The EUSDMiningIncentives contract is incorrectly implemented and can allow for more than the intended amount of rewards to be minted

RealWagmi

RealWagmi

136.66 USDC • 1 total finding • Sherlock • toshii

#16

high

Attacker can bypass fee accounting and effectively steal all fees from any Multipool contract

Llama

Llama

3,075.56 USDC • 3 total findings • Code4rena • Toshii

#5

high

In `LlamaRelativeQuorum`, the governance result might be incorrect as it counts the wrong approval/disapproval.

medium

It is not possible to execute actions that require ETH (or other protocol token)

medium

LlamaPolicy could be DOS by creating large amount of actions.

Unitas Protocol

Unitas Protocol

81.25 USDC • 1 total finding • Sherlock • toshii

#18

medium

Fetching asset prices from oracle does not check for stale prices, which can lead to invalid prices for assets

May '23

Iron Bank

Iron Bank

0.03 USDC • 2 total findings • Sherlock • toshii

#23

medium

Lack of checking for stale price data from chainlink oracles can potentially lead to incorrect prices

medium

Improper oracle integration due to lack of accounting for sequencer downtime for L2 chains

Eco Protocol

Eco Protocol

571.13 USDC • 1 total finding • Sherlock • toshii

bronze

high

Potential loss of funds when transferring tokens from L2 to L1 due to two-step `inflationMultiplier` update

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

41.55 USDC • 7 total findings • Sherlock • toshii

#45

high

Lack of access control on `mintRebalancer` function can lead to bricking core protocol functionality

high

Lack of any slippage protection can result in all swaps getting sandwiched

high

Multiple incorrect oracle configurations will lead to drastically incorrect prices for collateral

high

Denial of service for the `SellUSSDBuyCollateral` function when the collateral value for DAI is less than its specified flutter ratio

high

The equation for calculating `amountToSellUnits` in the `BuyUSSDSellCollateral` function is incorrect and breaks entire functionality

medium

Lack of checking for stale price data from chainlink oracles can potentially lead to incorrect results and excessive arbitrage opportunities

medium

Denial of service for `BuyUSSDSellCollateral` when the collateral value for DAI is less than `amountToBuyLeftUSD`

Footium

Footium

120.87 USDC • 1 total finding • Sherlock • toshii

#20

high

Excessive approvals in FootiumEscrow allows attacker to steal all players from club after transferring the club to another user

Apr '23

Rubicon v2

Rubicon v2

957.93 USDC • 3 total findings • Code4rena • Toshii

#12

high

Wrong calculation of repayment amount in Position contract

high

Reward accounting is incorrect in BathBuddy contract

medium

Calling `Position._marketBuy` and `Position._marketSell` functions that calculate `_fee` by dividing by `10000` can cause incorrect calculations

Mar '23

Asymmetry contest

Asymmetry contest

0.14 USDC • 1 total finding • Code4rena • Toshii

#126

high

Staking, unstaking and rebalanceToWeight can be sandwiched (Mainly rETH deposit )

Y2K

Y2K

491.32 USDC • 5 total findings • Sherlock • toshii

#30

high

Any user can trivially circumvent deposit fee to deposit free of charge at any point in time before an epoch begins

high

All users in the rollover queue can be griefed/forced to lose their earnings

high

Attacker can actively perform denial of service, by selectively preventing depositors from entering rollover queue

high

Attacker can cause permanent denial of service, blocking all rollovers indefinitely

medium

Attacker can drain all funds from a vault if a depegging event happens prior to any epoch starting

Neo Tokyo contest

Neo Tokyo contest

154.74 USDC • 1 total finding • Code4rena • Toshii

#18

high

Underflow of `lpPosition.points` during withdrawLP causes huge reward minting