https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/d8923c97-199b-4ad8-9b0e-d83b56da1a6d.png

yotov721

Security Researcher

Web2 dev turned Web3 enthusiast, exploring the blockchain

Contact Me

High

Total

Medium

Total

$1.45K

Total Earnings

#1116 All Time

13x

Payouts

1x

3rd Places

2x

Top 10

7x

Top 25

All

Sherlock

Code4rena

CodeHawks

Feb '25

Yieldoor

45.78 USDC • 2 total findings • Sherlock • yotov721

#18

high

Wrong vesting position upper tick passed to `collectFees` will block vesting position funds and claiming fees

medium

Wrong univ3 swap path check leads to OOG and DoS for Leverage positions where the swap path has more than one swap

Oct '24

Dria

2.87 USDC • 1 total finding • CodeHawks • yotov721

#67

medium

Platform fees withdrawal will sweep oracle agents earned fees

Aug '24

Tadle

0.02 USDC • 2 total findings • CodeHawks • yotov721

#162

high

TokenManager - Unlimited withdraw

low

`listOffer` Unsafely References Fungible Identifiers

Jul '24

TraitForge

136.4 USDC • 2 total findings • Code4rena • yotov721

#36

medium

Forger Entities can forge more times than intended

medium

Each generation should have 1 "Golden God" NFT, but there could be 0

TempleGold

21.05 USDC • 1 total finding • CodeHawks • yotov721

#35

high

Incompatibility with Multisig Wallets in `TempleGold::send` Function

Jun '24

Notional Leveraged Vaults: Pendle PT and Vault Incentives

71.22 USDC • 1 total finding • Sherlock • yotov721

#14

high

Selling sUSDe is vulnerable to sandwich attack when staked token is DAI

May '24

Olas

51.57 USDC • 1 total finding • Code4rena • yotov721

#14

medium

StakingToken.sol doesn't properly handle FOT, rebasing tokens or those with variable which will lead to accounting issues downstream.

Munchables

0.01 USDC • 1 total finding • Code4rena • yotov721

#16

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

Mar '24

Ondo Finance

64.15 USDC • 1 total finding • Code4rena • yotov721

#16

medium

The `BURNER` cannot burn tokens from accounts not KYC verified due to the check in `_beforeTokenTransfer`.

WOOFi Swap

127.48 USDC • 1 total finding • Sherlock • yotov721

medium

External swap fee would also be applied to native swaps

PoolTogether

1.47 USDC • 1 total finding • Code4rena • yotov721

#29

high

Any fee claim lesser than the total `yieldFeeBalance` as unit of shares is lost and locked in the `PrizeVault` contract

Feb '24

Jala Swap

799.98 USDC • 1 total finding • Sherlock • yotov721

medium

User wrapped tokens get stuck in master router because of incorrect calculation

AI Arena

127.87 USDC • 7 total findings • Code4rena • yotov721

#41

high

Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a win

high

Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterType

high

Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributes

high

FighterFarm:: reroll won't work for nft id greator than 255 due to input limited to uint8

medium

NFTs can be transferred even if StakeAtRisk remains, so the user's win cannot be recorded on the chain due to underflow, and can recover past losses that can't be recovered(steal protocol's token)

medium

Can mint NFT with the desired attributes by reverting transaction

medium

Fighter created by mintFromMergingPool can have arbitrary weight and element