https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/de73c1ef-2c72-42c6-ab3f-b03aefa6d88e.jpg

twicek

Security Researcher

Contact Me

High

24

Total

Medium

14

Total

$26.83K

Total Earnings

#305 All Time

22x

Payouts

silver

1x

2nd Places

bronze

1x

3rd Places

regular

9x

Top 10

All

Sherlock

Code4rena

Cantina

Sep '24

uniswap-v4

uniswap-v4

3,977.07 USDC • Cantina • twicek

#26

Jul '24

Union Finance Update #2

Union Finance Update #2

937.98 USDC • 2 total findings • Sherlock • twicek

#5

high

Wrong accounting of `_totalStaked` in `UserManager.debtWriteOff`

high

`repayBorrowWithERC20Permit` calls `_repayBorrowFresh` without scaling the `interest` input.

Feb '24

UniStaker Infrastructure

UniStaker Infrastructure

694.3 USDC • Code4rena • twicek

#5

Jan '24

Blast

Blast

9,294.72 USDC • 2 total findings • Cantina • twicek

#34

high

Finding not yet public.

medium

Finding not yet public.

Notional Update #5

Notional Update #5

1,916.77 USDC • 2 total findings • Sherlock • twicek

#5

high

The `wfCashLogic.mintViaUnderlying` function does not calculate residual token balance correctly

medium

USDT cannot be retrieved using the `recover` function

Oct '23

Ethena Labs

Ethena Labs

4.52 USDC • Code4rena • twicek

#40

Badger eBTC Audit + Certora Formal Verification Competition

Badger eBTC Audit + Certora Formal Verification Competition

19.71 USDC • Code4rena • twicek

#18

Open Dollar

Open Dollar

341.16 USDC • 3 total findings • Code4rena • twicek

#17

high

Incorrect calculations for Surplus Auction creation cause massive surplus imbalances

medium

`transferSAFEOwnership()` does not fully transfer ownership

medium

Test addresses and incorrect interface in code prevent integration with UniswapV3 and Camelot

Canto Liquidity Mining Protocol

Canto Liquidity Mining Protocol

359.93 USDC • 1 total finding • Code4rena • twicek

#10

high

Array Length of `tickTracking_ ` Can be Purposely Increased to Brick Minting and Burning of Most Users' Liquidity Positions

Sep '23

Venus Prime

Venus Prime

129.33 USDC • 1 total finding • Code4rena • twicek

#26

high

Prime.sol - User can claim Prime token without having any staked XVS, because his `stakedAt` isn't reset whenever he is issued an irrevocable token.

Centrifuge

Centrifuge

2,352.03 USDC • 1 total finding • Code4rena • twicek

#5

medium

You can deposit for other users really small amount to DoS them

Aug '23

Livepeer Onchain Treasury Upgrade

Livepeer Onchain Treasury Upgrade

695.61 USDC • 1 total finding • Code4rena • twicek

#11

medium

withdrawFees does not update checkpoint

Jul '23

Tokensoft

Tokensoft

66.79 USDC • 1 total finding • Sherlock • twicek

#15

high

Users can mint more vote tokens than intended

Jun '23

Unstoppable

Unstoppable

2,864.94 USDC • 5 total findings • Sherlock • twicek

bronze

high

`reduce_position` doesn’t update margin mapping correctly

high

Leverage calculation is wrong

high

`_debt_interest_since_last_update` calculation uses `PERCENTAGE_BASE` instead of `PERCENTAGE_BASE_HIGH_PRECISION`

medium

Spot contracts execute functions will revert before swapping fee-on-transfer tokens

medium

Oracle freshness check is not constraint enough

May '23

USSD - Autonomous Secure Dollar

USSD - Autonomous Secure Dollar

132.01 USDC • 8 total findings • Sherlock • twicek

#18

high

Wrong price feed harcoded address in StableOracleWBTC

high

Rebalancer contract will perform swaps without slippage protection

high

mintRebalancer and burnRebalancer shouldn't be permisionless

high

getOwnValuation doesn't always calculate the price correctly

high

DAI / ETH price feed precision is 18 decimals not 8 decimals

high

`DAIWethPrice` and Chainlink `price` have inversed quote and base token

medium

The threshold applied when the collateral is too little will prevent from withdrawing a portion of each collateral eventually

medium

Chainlink oracle price could become stale

Mar '23

Y2K

Y2K

468.01 USDC • 4 total findings • Sherlock • twicek

#31

high

`ownerToRollOverQueueIndex` is incorrectly updated when a user call `enlistInRollover` twice

high

After having roll over once a user will not be able to roll over again

medium

Increasing the `relayerFee` create a risk for relayers

medium

Queued deposits can get stuck indefinitely in the deposit queue

Feb '23

Fair Funding by Alchemix & Unstoppable

Fair Funding by Alchemix & Unstoppable

34.48 USDC • 1 total finding • Sherlock • seyni

#8

medium

The auction can be started by anyone calling `settle` before `start_auction` is called by the owner

Union Finance Update

Union Finance Update

1,097.56 USDC • 1 total finding • Sherlock • seyni

silver

high

`cancelVouch` doesn't update the voucher index of the last vouch of a borrower properly

OpenQ

OpenQ

159.85 USDC • 2 total findings • Sherlock • seyni

#29

high

`refundDeposit` function can be DoS by an unbounded loop in `getLockedFunds`

high

Funders can deny rewards to last claimants by calling `refundDeposit` between tiers claims

Jan '23

Cooler

Cooler

0.30 USDC • 1 total finding • Sherlock • seyni

#30

high

Unsafe usage of `ERC20.transfer` and `ERC20.transferFrom`

Nov '22

Opyn Crab Netting

Opyn Crab Netting

210.65 USDC • 1 total finding • Sherlock • seyni

#16

medium

Anyone in the order queue wanting to withdraw or deposit can grief the auction by making `withdrawAuction` or `depositAuction` always revert

Oct '22

Union Finance

Union Finance

1,072.39 USDC • 1 total finding • Sherlock • seyni

#10

high

`UserManager.updateFrozenInfo` cannot be called from `UToken`