https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/defaults/default_avatar_7.png

whitehair0330

Security Researcher

Contact Me

High

18

Total

Medium

1

Solo

11

Total

$10.74K

Total Earnings

#523 All Time

16x

Payouts

gold

1x

1st Places

silver

1x

2nd Places

bronze

2x

3rd Places

All

Sherlock

Mar '25

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

65.96 USDC • Sherlock • whitehair0330

#20

Feb '25

Yieldoor

Yieldoor

13.90 USDC • 2 total findings • Sherlock • whitehair0330

#25

high

Incorrect `initCollateralUsd` in `Leverager.openLeveragedPosition()`

medium

Incorrect usage of `amountOut0` in `Leverager.withdraw()` function for `repayFromWithdraw`

Jan '25

Aave v3.3

Aave v3.3

526.58 USDC • Sherlock • whitehair0330

#45

Dec '24

Ethos Reputation Market Fix Review Contest

Ethos Reputation Market Fix Review Contest

144.76 USDC • 1 total finding • Sherlock • whitehair0330

silver

medium

Incorrect rounding in the `ReputationMarket._calcCost()` function.

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

823.60 OP • 8 total findings • Sherlock • whitehair0330

#5

high

An attacker can steal all funds stored in `OracleLess` using a self-made token.

high

Lack of resetting allowance to zero in the `OracleLess.execute()` function will lead to loss of fund.

high

Reentrancy attack can drain `OracleLess`.

high

An attack that generates duplicate `orderId`s, resulting in the theft of funds.

high

An attacker can steal funds approved to `OarcleLess`.

high

An attacker can take advantage of the `StopLimit`'s unlimited allowance to `Bracket` to steal funds from the `StopLimit`.

medium

An attacker can DoS the `OracleLess` by creating large amount of empty orders.

medium

`forceApprove` should be used instead of `safeApprove`.

Nov '24

Ethos Network Financial Contracts

Ethos Network Financial Contracts

56.21 USDC • 2 total findings • Sherlock • whitehair0330

#29

high

In the `ReputationMarket.buyVotes()` function, the entry fees are incorrectly added to `marketFunds` because `fundsPaid` includes these fees.

medium

An incorrect fee calculation will lead to users paying fees that are higher than expected.

Nouns DAO - Auction Streams

Nouns DAO - Auction Streams

215.61 USDC • Sherlock • whitehair0330

#17

vVv Launchpad - Investments & Token distribution

vVv Launchpad - Investments & Token distribution

94.59 USDC • 1 total finding • Sherlock • whitehair0330

gold

high

Attackers can front-run the `VVVVCTokenDistributor.claim()` function to steal funds.

Telcoin Update #2

Telcoin Update #2

139.95 USDC • Sherlock • whitehair0330

#17

Jul '24

MakerDAO Endgame

MakerDAO Endgame

847.69 USDC • Sherlock • whitehair0330

#63

May '24

Sophon Farming Contracts

Sophon Farming Contracts

16.89 USDC • 1 total finding • Sherlock • whitehair0330

#5

medium

No modification of the `lastRewardBlock` in the `SophonFarming.setStartBlock()` function.

Arrakis Valantis SOT Audit

Arrakis Valantis SOT Audit

1,853.22 USDC • 1 total finding • Sherlock • whitehair0330

#4

high

`ArrakisPublicVaultRouter.addLiquidity()` function can frequently revert due to rounding errors.

Elfi

Elfi

1,071.06 USDC • 7 total findings • Sherlock • whitehair0330

#6

high

Anyone can call the `AccountFacet.batchUpdateAccountToken()` function, which allows them to manipulate any user's `accountProps`.

high

Incorrect implementation of the `PositionMarginProcess.updateAllPositionFromBalanceMargin()` function.

high

Incorrect implementation of the `PositionMarginProcess.updatePositionFromBalanceMargin()` function.

high

Incorrect calculation of the `changeAmount` in the `PositionMarginProcess.updatePositionFromBalanceMargin()` function.

high

Reversal of the `PositionMarginProcess._executeReduceMargin()` function due to an integer underflow.

medium

Improper modification of the `CommonData` in the `Account.repayLiability()` function.

medium

Incorrect calculation of the `lossFee` in the `GasProcess.processExecutionFee()` function.

Napier Finance - LST/LRT Integrations

Napier Finance - LST/LRT Integrations

791.22 USDC • 1 total finding • Sherlock • whitehair0330

#8

high

Invalid check `_requestId < ETHERFI_WITHDRAW_NFT.lastFinalizedRequestId()` in the `EETHAdapter.claimWithdrawal()` function.

Mar '24

Goat Trading

Goat Trading

2,212.67 USDC • 2 total findings • Sherlock • whitehair0330

bronze

medium

Improper `tokenAmountIn` checking in `GoatV1Pair.takeOverPool()`.

medium

No check for `initialEth` in `GoatV1Pair.takeOverPool()`.

Amphor

Amphor

1,865.83 USDC • 3 total findings • Sherlock • whitehair0330

bronze

high

Incorrect assignment of snapshot values in `AsyncSynthVault.previewSettle()`.

high

A malicious user can freeze any other users' requested shares in `claimableSilo`.

medium

Improper allowance checking in `VaultZapper._transferTokenInAndApprove()`.