Security Researcher
Founding Security Researcher @blackthornxyz | Lead Senior Watson @sherlock-audit | Security Researcher @spearbit | Portfolio: https://t.co/sg2mgn4ZkM
High
Solo
Total
Medium
Solo
Total
Total Earnings
#5 All Time
Payouts
1st Places
2nd Places
3rd Places
All
Sherlock
Blackthorn
Code4rena
Mar '25
Collaborative Audit • Sherlock • xiaoming90
Collaborative Audit • Blackthorn • xiaoming90
Feb '25
Collaborative Audit • Sherlock • xiaoming90
Collaborative Audit • Sherlock • xiaoming90
Collaborative Audit • Sherlock • xiaoming90
Jan '25
Findings not publicly available for private contests.
Collaborative Audit • Sherlock • xiaoming90
Dec '24
high
Exploit `cancelOrder()` with re-entrancy to steal funds
high
Orders will be overwritten if multiple orders are created by the same sender within the same block
high
`StopLimit` contract grant max allowance leading to a loss of funds
high
`orders[orderId]` mapping is not updated when the order is canceled
high
The `owner` of the `procureTokens` function can be set to an arbitrary address
medium
Create order can be DOSed as there is no compulsory fee collected during the creation/cancellation of orders
medium
`OracleLess` does not restrict the maximum number of pending orders
medium
`StopLimit` order cannot be filled under certain condition
medium
Pyth Oracle's Stale Price check is incorrect
Nov '24
high
Managed veAERO NFT can be exploited to steal funds from lenders
high
`TaxTokensReceipt` cannot be auctioned off to repay lenders during a default
high
Delete/cancel buy order function only returns remaining tokens, but forget to return any NFT purchase so far
high
No one can sell `TaxTokensReceipts` NFT receipt to the buy order
medium
MixOracle is broken due to hardcoded position
medium
Funds stuck in `DebitaIncentives` contract
medium
New owner of veNFT receipt can be griefed by existing manager
medium
Users can be griefed due to lack of minimum size within the Loan and Offer
medium
Borrower can obtain principle tokens without paying collateral tokens
medium
"Just-in-time" attack against incentive mechanism
Oct '24
medium
`settleUpnl` function can be DOSed by other PartyBs/hedgers
medium
Unauthorized PartyB could settle PNL of other PartyBs and users in the system
medium
Force Close can be DOSed by exploiting `settleUpnl` function
medium
Emergency close might be blocked due to insufficient allocated balance
medium
Inconsistent in the liquidation fee leads to unfairness in liquidation process
Jul '24
Jun '24
19,500.28 USDC • 11 total findings • Sherlock • xiaoming90
high
Incorrect valuation of vault share
high
Loss of rewards due to continuous griefing attacks on L2 environment
high
Malicious withdrawal requests can be injected into the holder's queue
high
Users can deny the vault from claiming reward tokens
high
Malicious users can steal reward tokens via re-entrancy attack
high
Wrong decimal precision resulted in the price being inflated
high
Incorrect assumption that PT rate is 1.0 post-expiry
high
Lack of slippage control on `_redeemPT` function
medium
Reward token will be lost if a transfer fails
medium
`rescueTokens` feature is broken
medium
Protocol could be DOS by transfer error due to lack of code length check
high
Wrong precision when adding balance within the `restoreBridgeTransaction` function
high
Suspended bridge transactions cannot be restored
medium
Collateral can still be allocated to PartyA when the system is paused by exploiting the new internal transfer function
medium
PartyA's allocated balance could increase after `deferredLiquidatePartyA` is executed
medium
Deferred Liquidation can get stuck at step one of the liquidation process if the nonce increment
Apr '24
high
Users can exploit the batch minting feature to avoid paying minting fees for tokens
high
Original collection referrer will be overwritten when a new collection/work is created
high
Collection referrers will not receive their share of the minting fee
medium
Minting can be DOSed by any of the fee recipients
medium
Excess ETH will be stuck in the Fee Manager contract and not swept back to the users
medium
Malicious users can block creators from acknowledging or deacknowledging an edge
medium
Incorrect `supportsInterface` (EIP-165)
medium
Signature is malleable
medium
Broken batch minting feature
medium
Constructor is used during initialization when a proxy pattern is used
medium
New creators unable to update the royalty target and the fee route for their works
medium
Malicious EDITION_MANAGER_ROLE can front-run victims to increase royalty
Mar '24
Feb '24
high
YT holder are unable to claim their interest
high
LP Tokens always valued at 3 PTs
high
Victim's fund can be stolen due to rounding error and exchange rate manipulation
medium
`swapUnderlyingForYt` revert due to rounding issues
medium
Unable to deposit to Tranche/Adaptor under certain conditions
medium
FRAX admin can adjust fee rate to harm Napier and its users
medium
Benign esfrxETH holders incur more loss than expected
medium
Anyone can convert someone's unclaimed yield to PT + YT
medium
Lack of slippage control for `issue` function
medium
Withdrawal can be blocked
medium
Users unable to withdraw their funds due to FRAX admin action
medium
`withdraw` function does not comply with ERC5095
medium
Users are unable to collect their yield if tranche is paused
medium
Front-running swap TX and update the fee rate
medium
Permissioned rebalancing functions leading to loss of assets
Jan '24
high
Incorrect handling of PnL during liquidation
high
`marginDepositedTotal` can be significantly inflated
high
Position can be immediately liquidated after opening
high
Asymmetry in profit and loss (PnL) calculations
high
Incorrect price used when updating the global position data
medium
Oracle will not failover as expected during liquidation
medium
Large amounts of points can be minted virtually without any cost
medium
Vault Inflation Attack
medium
Long traders unable to withdraw their assets
medium
Losses of some long traders can eat into the margins of others
high
Residual ETH will not be sent back to users during the minting of wfCash
high
Residual ETH not sent back when `batchBalanceAndTradeAction` executed
medium
Malicious users could block liquidation or perform DOS
medium
Unable to limit the loss when redeeming wfCash before maturity
medium
Low precision is used when checking spot price deviation
medium
External lending can exceed the threshold
medium
Incorrect rate used when fCash has not settled yet
medium
Rebalance will be delayed due to revert
medium
Rebalance might be skipped even if the external lending is unhealthy
Nov '23
high
Rounding differences when computing the invariant
high
Reward tokens are re-entered during vault restoration
high
Incorrect scaling of the spot price
high
Incorrect Spot Price
high
Incorrect invariant used for Balancer's composable pools
high
Unable to reinvest if the reward token equals one of the pool tokens
high
Different spot prices used during the comparison
high
Native ETH not received when removing liquidity from Curve V2 pools
high
Single-sided instead of proportional exit is performed during emergency exit
medium
ETH can be sold during reinvestment
medium
BPT LP Token could be sold off during re-investment
medium
Leverage Vault on sidechains that support Curve V2 pools is broken
Aug '23
Jul '23
high
Insufficient allowance when queuing reward
high
Price of Maverick LP tokens is vulnerable to manipulation
high
Stat calculator returns incorrect report for swETH
high
Incorrect approach to tracking the PnL of a DV
high
WETH is stuck in the router if users deposit or mint with Native ETH
high
Swap during liquidation of reward tokens will revert
high
Convex/Aura claim reward front-run attack
high
Inflated price due to unnecessary precision scaling
high
Immediately start getting rewards belonging to others after staking
high
Differences between actual and cached total assets can be arbitraged
high
Claimed tokens obtained during the burning of DV shares are overwritten
high
Gain From LMPVault Can Be Stolen
high
Incorrect pricing for CurveV2 LP Token
high
Incorrect number of shares minted as fee
medium
`removeVault` did not remove the vault from `_vaultsByType` mapping
medium
Unable to withdraw extra rewards
medium
Malicious or compromised admin of certain LSTs could manipulate the price
medium
Slow reaction to the market condition due to the filter's high alpha
medium
`previewRedeem` and `redeem` functions deviate from the ERC4626 specification
medium
Losses are not distributed equally
medium
`feeSink` address should not be subjected to limit
medium
Malicious users could lock in the NAV/Share of the DV to cause the loss of fees
medium
Price returned by Oracle is not verified
medium
Unexpected revert during withdrawal
medium
Malicious users could use back old values
medium
`navPerShareHighMark` not reset to 1.0
high
Lack of segregation between users' assets and collected fees resulting in loss of funds for the users
high
Users' funds could be stolen or locked by malicious or rouge owners
medium
Owners will incur loss and bad debt if the value of a token crashes
medium
Owner unable to collect fulfillment fee from certain users due to revert error
Jun '23
high
`depositAndAllocateForPartyB` is broken due to incorrect precision
high
Accounting error in PartyB's pending locked balance led to loss of funds
high
Malicious liquidators could inject stale symbol pricing during the liquidation process of PartyA
high
Unrealized profit and loss (uPnL) signature (`upnlSig`) can be re-used and replayed as nonce is not incremented
high
Liquidation can be blocked by incrementing the nonce
high
Liquidation of PartyA will fail due to underflow errors
medium
Liquidatable account will be locked
medium
Using spot trading fee to compute the refunded amount lead to a loss of funds
medium
Malicious PartyB can block unfavorable close position requests causing a loss of profits for PartyB
medium
Users might immediately be liquidated after position opening leading to a loss of CVA and Liquidation fee
medium
Liquidator not incentivized to liquidate `LATE` or `OVERDUE` account as there is no rewards
medium
Suspended PartyBs can bypass the withdrawal restriction by exploiting `fillCloseRequest`
medium
Imbalanced approach of distributing the liquidation fee within `setSymbolsPrice` function
medium
`emergencyClosePosition` can be blocked
medium
Vulnerable to replay attack as `lockQuote` did not increment PartyB's nonce
medium
Hedgers are not incentivized to respond to user's closing requests
medium
Position value can fall below the minimum acceptable quote value
medium
Rounding error when closing quote
Mar '23
high
`VaultAccountSecondaryDebtShareStorage.maturity` will be cleared prematurely
high
StrategyVault can perform a full exit without repaying all secondary debt
high
Unable to transfer fee reserve assets to treasury
high
Excess funds withdrawn from the money market
high
Possible to liquidate past the debt outstanding above the min borrow without liquidating the entire debt outstanding
high
Residual amount is not refunded
high
Vaults can avoid liquidations by not letting their vault account be settled
high
Users can deny the treasury manager contract from claiming `COMP` incentives
high
Possible to create vault positions ineligible for liquidation
high
Partial liquidations are not possible
high
Vault accounts with excess cash can avoid being settled
medium
A single external protocol can DOS rebalancing process
medium
Inadequate slippage control
medium
Inconsistent use of `VAULT_ACCOUNT_MIN_TIME` in vault implementation
medium
Return data from the external call not verified during deposit and redemption
medium
Treasury rebalance will fail due to interest accrual
medium
Debt cannot be repaid without redeeming vault share
medium
Vault account might not be able to exit after liquidation
medium
Rebalance process reverts due to zero amount deposit and redemption
medium
Inaccurate settlement reserve accounting
medium
Rebalance stops working when more holdings are added
medium
Underlying delta is calculated on internal token balance
medium
Secondary debt dust balances are not truncated
medium
No minimum borrow size check against secondary debts
medium
It may be possible to liquidate on behalf of another account
high
Slippage/Minimum amount does not work during single-side redemption
high
Ineffective slippage mechanism when redeeming proportionally
high
Risk of reward tokens being sold by malicious users under certain conditions
high
Curve vault will undervalue or overvalue the LP Pool tokens if it comprises tokens with different decimals
high
Reinvest will return sub-optimal return if the pool is imbalanced
medium
Users are forced to use the first pool returned by the Curve Registry
medium
Logic Error due to different representation of Native ETH (0x0 & 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE)
medium
Oracle slippage rate is used for checking primary and secondary ratio
medium
`oracleSlippagePercentOrLimit` can exceed the `Constants.SLIPPAGE_LIMIT_PRECISION`
Jan '23
high
Users redeem strategy tokens but receives no assets in return
high
`totalBPTSupply` will be excessively inflated
high
`msgValue` will not be populated if ETH is the secondary token
high
Token amounts are scaled up twice causing the amounts to be inflated in two token vault
high
Vault's `totalStrategyTokenGlobal` will not be in sync
high
Users deposit assets to the vault but receives no strategy token in return
high
Rounding differences when computing the invariant
high
Two token vault will be broken if it comprises tokens with different decimals
high
Scaling factor of the wrapped token is incorrect
medium
Unable to deploy new leverage vault for certain MetaStable Pool
Nov '22
high
Anyone can steal CryptoPunk during the deposit flow to WPunkGateway
high
Anyone can prevent themselves from being liquidated as long as they hold one of the supported NFTs
medium
New BAKC Owner Can Steal ApeCoin
medium
NTokenMoonBirds Reserve Pool Cannot Receive Airdrops
medium
Centralization risk: admin can with rug the project by removing asset and price manipulation on oracle.
high
The 'redeem' related functions are likely to be blocked
high
Users Receive Less Rewards Due To Miscalculations
high
Malicious Users Can Drain The Assets Of Auto Compound Vault
high
User's Accrued Rewards Will Be Lost
high
Underlying assets stealing in `AutoPxGmx` and `AutoPxGlp` via share price manipulation
medium
Assets may be lost when calling unprotected `AutoPxGlp::compound` function
medium
Deposit Feature Of The Vault Will Break If Update To A New Platform
medium
Anyone can call AutoPxGmx.compound and perform sandwich attacks with control parameters
medium
Debt Decay Faster Than Expected
medium
Auctioneer Cannot Be Removed From The Protocol
medium
`BondAggregator.findMarketFor` Function Will Break In Certain Conditions
medium
Create Fee Discount Feature Is Broken
medium
Teller Cannot Be Removed From Callback Contract
medium
Market Price Lower Than Expected
medium
Existing Circuit Breaker Implementation Allow Faster Taker To Extract Payout Tokens From Market
medium
Transferring Ownership Might Break The Market
Sep '22
high
Normal Settlement Process Do Not Verify That The Vault Receives The Appropriate Amount Of Primary Tokens After Sale Of Secondary Tokens
medium
Did Not Approve To Zero First
medium
Corruptible Upgradability Pattern
medium
`CrossCurrencyfCashVault` Cannot Be Upgraded
medium
Attackers Can DOS Balancer Vaults By Bypassing The BPT Threshold
medium
Rely On Balancer Oracle Which Is Not Updated Frequently
medium
Existing Slippage Control Can Be Bypassed During Reinvest Rewards
medium
Vault Share/Strategy Token Calculation Can Be Broken By First User/Attacker
medium
Balancer Vault Will Receive Fewer Assets As The Current Design Does Not Serve The Interest Of Vault Shareholders
medium
`CrossCurrencyfCashVault` Cannot Settle Its Assets In Pieces
medium
Malicious Users Can Deny Notional Treasury From Receiving Fee
medium
Gain From Balancer Vaults Can Be Stolen
medium
No Validation Check Against Decimal Of Secondary Token
Aug '22
high
Missing State Update Causing More Shares To Be Minted And Fewer Assets To Be Returned
medium
Protocol Reserve Within A LToken Vault Can Be Lent Out
medium
Re-entrancy Risk Within The `withdraw` Function
medium
Token Without Price Oracle Can Cause Asset To Be Locked
medium
Chainlink's LatestRoundData Might Return Stale Results
medium
Internal Accounting Issue Due To Fee-On-Transfer/Rebasing Tokens
medium
ERC4626Oracle Vulnerable To Price Manipulation
Jul '22
high
Fund will be stuck if a buyout is started while there are pending migration proposals
high
Steal NFTs from a Vault, and ETH + Fractional tokens from users.
high
Malicious User Could Burn The Assets After A Successful Migration
high
```migrateFractions``` may be called more than once by the same user which may lead to loss of tokens for other users
high
Malicious Users Can Exploit Residual Allowance To Steal Assets
medium
An attacker can DoS vault's buyout with as little as 1 wei per 4 days
medium
A VAULT OWNER CAN FRONTRUN A PLUGIN CALL AND CHANGE ITS IMPLEMENTATION
medium
Use of `payable.transfer()` may lock user funds
Jun '22
medium
Order duration can be set to 0 by Malicious maker
medium
`fillOrder()` and `exercise()` may lock Ether sent to the contract, forever
medium
Unbounded loops may cause `exercise()`s and `withdraw()`s to fail
medium
[Denial-of-Service] Contract Owner Could Block Users From Withdrawing Their Strike
medium
Putty position tokens may be minted to non ERC721 receivers
medium
Malicious Token Contracts May Lead To Locking Orders
high
Routers Are Not Enforced To Repay AAVE Portal Loan
high
Malicious Relayer Can Replay Execute Calldata On Different Chains Causing Double-Spend Issue
high
Router Owner Could Steal All The Funds Within SponsorVault
medium
Single Error Within SponsorVault Contract Could Cause Entire Cross-Chain Communication To Break Down
medium
Malicious Relayers Could Favor Their Routers
medium
Malicious Relayer Could Cause A Router To Provide More Liquidity Than It Should
medium
Router Owner Could Be Rugged By Admin
medium
Did Not Approve To Zero First Causing Certain Token Transfer To Fail
medium
division rounding error in _handleExecuteLiquidity() and _reconcile() make routerBalances and contract fund balance to get out of sync and cause fund lose
medium
Relayer Will Not Receive Any Fee If `execute` Reverts
May '22
high
Gauge Rewards Stuck In `VoterProxy` Contract When `ExtraRewardStashV3` Is Used Within Angle Deployment
medium
`VE3DRewardPool` and `VE3DLocker` adds to an unbounded array which may potentially lock all rewards in the contract
medium
Unable To Get Rewards If Admin Withdraws $VE3D tokens From `VeTokenMinter` Contract
medium
Misconfiguration of Fees Incentive Might Cause Tokens To Be Stuck In `Booster` Contract
high
Ineffective ReserveRatio Enforcement
high
BathToken LPs Unable To Receive Bonus Token Due To Lack Of Wallet Setter Method
high
Attacker Could Steal Almost All The Bonus Token In BathBuddy Vesting Wallet
medium
USDT is not supported because of approval mechanism
medium
Lack of Access Control for offer(uint, ERC20, uint, ERC20) and insert(uint, unint)
medium
Inconsistent Order Book Accounting When Working With Transfer-On-Fee or Deflationary Tokens
medium
Strategists can take more rewards than they should using the function strategistBootyClaim().
medium
No cap on fees can result in a DOS in BathToken.withdraw()
medium
Outstanding Amount Of A Pool Reduced Although Tokens Are Not Repaid
medium
Admin rug vectors
medium
Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`
medium
Use `call()` instead of `transfer()` when transferring ETH in RubiconRouter