https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/5887657f-5a8a-48b7-a349-d3865245e197.jpg

vinica_boy

Security Researcher

Web3 Security Researcher | https://t.co/sSa0j5zBwG

Contact Me

High

1

Solo

27

Total

Medium

20

Total

$46.43K

Total Earnings

#196 All Time

20x

Payouts

gold

2x

1st Places

bronze

1x

3rd Places

regular

13x

Top 10

All

Sherlock

Code4rena

Cantina

CodeHawks

Mar '25

Jigsaw

Jigsaw

Collaborative Audit • Sherlock • vinica_boy

Feb '25

Liquidity Management

Liquidity Management

22,648.80 usdc • 11 total findings • CodeHawks • vinica_boy

gold

high

Deposits on long one leverage vault don't actually finalize the flow, leading to a Denial of Service (DoS)

high

If users withdraw while a position is in loss, the whole PNL of the position to their withdrawal amount instead of just their share of it.

high

Subtracting position fee in position net value will lead to incorrect share allocation

medium

PerpetualVault can be completely bricked

medium

getExecutionGasLimit() reports a lower gas limit due to gasPerSwap miscalculation

medium

Functions that rely on chainlink prices cannot be queried on avalanche due to sequencer uptime check.

medium

User may withdraw more than expected if ADL event happens

medium

ADL can result in unwrapped ETH as output which is not handled

low

Protocol Recovery Mechanism at Risk Due to Unhandled Token Transfer Failures

low

`_withdraw` function uses `shortTokenPrice.max` instead of `shortTokenPrice.min` when computing negative PnL adjustment, leading to underestimation of losses and excessive collateral withdrawal

low

Calculating price impact collateral is incorrect when calculating users' increase from deposit

beraborrow-blockend

beraborrow-blockend

985.89 USDC • 1 total finding • Cantina • vinicaboy

#5

medium

Finding not yet public.

Jan '25

Beraborrow

Beraborrow

15,538.35 USDC • Sherlock • vinica_boy

gold

Findings not publicly available for private contests.

FlatMoney v2 Update

FlatMoney v2 Update

467.00 USDC • Sherlock • vinica_boy

#8

Findings not publicly available for private contests.

Dec '24

Idle Finance Credit Vaults

Idle Finance Credit Vaults

1,142.76 USDC • Sherlock • vinica_boy

#5

Findings not publicly available for private contests.

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

482.53 OP • 9 total findings • Sherlock • vinica_boy

#10

high

Not setting approval to 0 when doing swaps can lead to draining of funds

high

Reentrancy can be exploited in OracleLess contract

high

modifyOrder() can be used to drain funds from already filled/cancelled orders

high

Incorrect safeTransferFrom parameter when creating stop limit orders

high

If users create two orders close in time, the second one may override the first.

medium

DoS in OracleLess contract

medium

Tokens used are not checked in OracleLess contract

medium

Wrong check for stale price in PythOracle

medium

Bracket and StopLimit contracts are vulnerable to DoS attacks.

Nov '24

Extra Finance

Extra Finance

575.86 OP • Sherlock • vinica_boy

#5

Findings not publicly available for private contests.

Chiliz Chain System Contracts

Chiliz Chain System Contracts

1,186.75 USDC • Sherlock • vinica_boy

#5

Findings not publicly available for private contests.

Telcoin Update #2

Telcoin Update #2

283.18 USDC • Sherlock • vinica_boy

#8

Project

Project

187.38 USDC • 3 total findings • CodeHawks • vinica_boy

#9

medium

NativeMetaTransaction.sol :: executeMetaTransaction() failed txs are open to replay attacks.

medium

Reorg Vulnerability in DAO Membership Creation Allows Users to Join Incorrect DAOs

low

EIP712Base Is Incompatible With Chain Fork

Oct '24

Gamma Brevis Rewarder

Gamma Brevis Rewarder

131.06 OP • 1 total finding • Sherlock • vinica_boy

bronze

high

Users cannot claim rewards for different epochs for the same distribution

AXION

AXION

802.68 USDC • 2 total findings • Sherlock • vinica_boy

#6

high

Public unfarmBuyBurn may not rebalance the pool correctly

medium

AMO bot can move the price higher/lower than target $1 which should not be allowed

Sep '24

symbioticfi-core

symbioticfi-core

211.51 USDC • 1 total finding • Cantina • vinicaboy

#24

medium

Finding not yet public.

Aug '24

Cork Protocol

Cork Protocol

1,128.40 USDC • 8 total findings • Sherlock • vinica_boy

#4

high

FlashSwapRouter.emptyReserve() always returns 0 leading to excess DS in the LV to be stucked

high

Exchange rate between RA: CT+DS is not used when liquidating LP tokens at expiry

high

lockUnchecked() is used instead lockFrom() in PsmLib.repurchase() leading to wrong accounting of locked RA tokens.

high

lvRedeemRaWithCtDs() does not account for the RA tokens locked in PSM

high

Wrong accounting of locked RA when redeeming RA with DS

high

On-chain calculated tolerance does not provide slippage protection when depositing into LV

medium

Initial AMM price ratio can be manipulated

medium

Providing liquidity to the AMM does not check the return value of actually provided tokens leading to locked funds.

Rumpel Point Tokenization Protocol

Rumpel Point Tokenization Protocol

15.20 USDC • Sherlock • vinica_boy

#25

Fjord Token Staking

Fjord Token Staking

0.19 USDC • 1 total finding • CodeHawks • vinica_boy

#20

medium

`FjordAuction` incorrect `block.timestamp` check allows users to bid after calling `auctionEnd` to claim more tokens than they should

Winnables Raffles

Winnables Raffles

5.17 USDC • 2 total findings • Sherlock • vinica_boy

#31

high

H-1: Locked ETH is not updated upon players refund, resulting in permanent stuck funds

high

Perpetual frontrunning of raffle creation leading to inability to create raffles and CCIP fee token loss

Tadle

Tadle

274.24 USDC • 6 total findings • CodeHawks • vinica_boy

#23

high

`DeliveryPlace::settleAskTaker` Has Incorrect Access Control

high

Malicious user can drain protocol by bypassing `ASK` offer abortion validation in `Turbo` mode

high

The `DeliveryPlace::settleAskTaker()` function mistakenly uses `makerInfo.tokenAddress` to update the `TokenBalanceType.PointToken` in the `userTokenBalanceMap` mapping, leading to a critical error.

high

Token withdrawal fails until someone manually approves spending

medium

Unnecessary balance checks and precision issues in TokenManager::_transfer

low

Low Severity Issues

Jul '24

TraitForge

TraitForge

3.27 USDC • 5 total findings • Code4rena • vinica_boy

#76

high

`mintToken()`, `mintWithBudget()`, and `forge()` in the `TraitForgeNft` Contract Will Fail Due to a Wrong Modifier Used in `EntropyGenerator.initializeAlphaIndices()`

high

Number of entities in generation can surpass the 10k number

high

Wrong minting logic based on total token count across generations

medium

There is no slippage check in the `nuke()` function.

medium

NFTs mature too slowly under default settings.

Munchables

Munchables

360.29 USDC • 2 total findings • Code4rena • vinica_boy

#16

high

Single plot can be occupied by multiple renters

high

in `farmPlots()` an underflow in edge case leading to freeze of funds (NFT)