https://sherlock-files.ams3.digitaloceanspaces.com/twitter_images/92fa1f90-7a00-403d-9ada-31aa8ad94801.jpg

zarkk01

Security Researcher

outworking

Contact Me

High

22

Total

Medium

31

Total

$49.99K

Total Earnings

#183 All Time

22x

Payouts

gold

2x

1st Places

silver

1x

2nd Places

regular

13x

Top 10

All

Sherlock

Code4rena

Cantina

CodeHawks

Immunefi

Mar '25

Nudge.xyz

Nudge.xyz

0.06 USDC • 1 total finding • Code4rena • zarkk01

#8

medium

Unauthorized Reallocation in `NudgeCampaign::handleReallocation` and Reward Disruption Vulnerability in `NudgeCampaign::invalidateParticipations`

PinLink: RWA-Tokenized DePIN Marketplace

PinLink: RWA-Tokenized DePIN Marketplace

183.20 USDC • Sherlock • zarkk01

#8

Jan '25

silo-contracts-v2

silo-contracts-v2

189.77 USDC • 1 total finding • Cantina • zarkk

#18

high

Finding not yet public.

Aave v3.3

Aave v3.3

2,510.23 USDC • Sherlock • zarkk01

#18

FlatMoney v2 Update

FlatMoney v2 Update

1,087.17 USDC • Sherlock • zarkk01

#6

Findings not publicly available for private contests.

Dec '24

Numa

Numa

987.97 USDC • 1 total finding • Sherlock • zarkk01

#9

medium

`VaultManager::updateBuyFeePID()` assumes different `ETH` bought than the actual, leading to incorrect `buyFeePID` adjustments.

Nov '24

Extra Finance

Extra Finance

1,151.73 OP • Sherlock • zarkk01

#4

Findings not publicly available for private contests.

sorella-angstrom

sorella-angstrom

3,513.28 USDC • 1 total finding • Cantina • zarkk

#5

medium

Finding not yet public.

Oct '24

Usual V1

Usual V1

4,367.29 USDC • 2 total findings • Sherlock • zarkk01

gold

high

`UsualSP::removeOriginalAllocation()` does not call `updateReward()` leading to the insider losing his earned and generated rewards.

high

Incorrect calculation of fee in `UsualX::withdraw()` leading to protocol taking less fee amount and other consequences.

stakeup-bloomv2

stakeup-bloomv2

1,400.89 USDC • 7 total findings • Cantina • zarkk

#9

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

Sep '24

Flayer

Flayer

1,526.43 USDC • 8 total findings • Sherlock • zarkk01

#6

high

Anyone can redeem the ```canWithdrawAsset``` token by burning ```1``` ```CollectionToken``` while it is non-floor item leading to stealing it from lister of ```ProtectedListings```.

high

The health of a ```ProtectedListing``` is incorrectly calculated if the ```tokenTaken``` has be changed through ```ProtectedListings::adjustPosition()```.

high

Lister is overpaying during the cancel of his listing on ```Listings::cancelListings()```.

medium

```setFee``` function is writing on memory leading to protocol not able to apply ```Pool```-specified ```fees``` as intended.

medium

```CollectionShutdown::execute()``` calculates the ```newQuorum``` before burning ```Locker```'s collection tokens leading to unfair ETH distribution and lost funds forever.

medium

Unused ```nativeToken```s are not transferred back to the Pool initializer after the ```Locker::initializeCollection()``` and they stay on ```UniswapV4Implementation```.

medium

```Listings::modifyListings()``` doesn't update the ```listing.created``` (when only the ```floorMultiple``` is modified) leading to double paying and wrong accountings.

medium

```UniswapV4Implementation::beforeSwap()``` incorrectly the ```beforeSwapDelta_``` comparing ```tokenOut``` with ```amountSpecified``` while the ```amountSpecified``` is in ```WETH``` terms.

Aug '24

Mitigation Audit | Folks Finance

Mitigation Audit | Folks Finance

1,563 USDC • 1 total finding • Immunefi • zarkk

silver

low

Finding not yet public.

ZeroLend One

ZeroLend One

2,027.50 USDC • 9 total findings • Sherlock • zarkk01

#6

high

```_calculateDebt``` function of ```LiquidationLogic``` does not convert ```debtShares``` to ```debtAmount``` and returns always ```debtShares``` breaking the functionality of every liquidation.

high

```liquidationProtocolFeeAmount``` are not subtracted from the collaterals of borrower during the liquidation process.

high

Liquidations will fail if there is not enough liquidity of the collateral that is supposed to be seized because it has been borrowed from other users.

high

Incorrect ```totalDebt``` calculation during the liquidation process since ```repayDebt``` function returns the ```burnt``` shares, not the total debt shares after the burn.

high

Outdated ```supplyIndex``` usage during ```getBalanceByPosition()``` call on ```CuratedVault::totalAssets``` leads to wrong ```lastTotalAssets```.

medium

```reallocate``` function of ```CuratedVault``` can not withdraw fully from a ```Pool``` due to wrong handle of ```allocation.assets == 0```.

medium

Repayments will revert on ```NFTPositionManager``` due to outdated debt measurement on ```_repay()```.

medium

Before changing the ```reserveFactor``` on ```PoolFactory```, all existing Pools must update their reserves to avoid using an incorrect ```reserveFactor``` for interest accrued prior to the change.

medium

```Pool``` expects all chainlink price feeds to have the same staleness thershold (1800 seconds) while this is not the case.

Sentiment V2

Sentiment V2

308.57 USDC • 1 total finding • Sherlock • zarkk01

#20

medium

RedStone oracle is vulnerable because ```updatePrice``` is not called during the ```getEthValue``` function.

Jul '24

TraitForge

TraitForge

0 USDC • 1 total finding • Code4rena • zarkk01

#89

medium

Pause and unpause functions are inaccessible

Audit Comp | Folks Finance

Audit Comp | Folks Finance

26,633 USDC • 6 total findings • Immunefi • zarkk

gold

high

Finding not yet public.

high

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

medium

Finding not yet public.

low

Finding not yet public.

MagicSea - the native DEX on the IotaEVM

MagicSea - the native DEX on the IotaEVM

44.41 USDC • 5 total findings • Sherlock • zarkk01

#39

high

```vote``` function does not correctly checks if the remaining duration of a ```LockingPosition``` is greater than 14 days.

medium

Rewards in ```MlumStaking``` are distributed unfairly not taking into consideration the time someone has been locked.

medium

```_requireOnlyOperatorOrOwnerOf``` does not correctly check the owner or the operator of the position leading to anyone can adjust the duration of a ```LockingPosition``` by adding to it.

medium

A malicious user can execute a Denial of Service (DoS) attack on the registration of legitimate ```BribeRewarder``` contracts in the ```Voter``` contract by registering 5 worthless ```BribeRewarder``` contracts in each ```VotingPeriod```.

medium

```BribeRewarder``` contract funtionality is broken with low-decimals tokens.

Jun '24

Pegasus

Pegasus

1,205.39 USDC • 1 total finding • Cantina • zarkk

#4

medium

Finding not yet public.

Size

Size

629.71 USDC • 6 total findings • Code4rena • zarkk01

#32

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

high

When `sellCreditMarket()` is called to sell credit for a specific cash amount, the protocol might receive a lower swapping fee than expected.

medium

Size uses wrong source to query available liquidity on Aave, resulting in borrow and lend operations being bricked upon mainnet deployment

medium

Users can not to buy/sell minimum credit allowed due to exactAmountIn condition

medium

Multicall does not work as intended

medium

withdraw() users may can't withdraw underlyingBorrowToken properly

May '24

YOLO Games

YOLO Games

198.3 USDC • 1 total finding • Cantina • zarkk

#14

medium

Finding not yet public.

Sablier

Sablier

412.97 USDC • 1 total finding • CodeHawks • zark

#15

medium

Use of CREATE method is suspicious of reorg attack

Apr '24

Zivoe

Zivoe

46.02 USDC • 2 total findings • Sherlock • zarkk01

#48

high

Incorrect Calculation of `_totalSupply` of `vestZVE`

high

Airdrop amounts diminish over time due to continuous increase in `zSTT` and `zJTT` tokens total supply