Some of my findings in public contests can be found in this repository.
I'm an independent security researcher who has an interest in smart contract audits.
I have been participating in public audit contests on Code4rena and Sherlock since June 2023.
Over the past six months (at the time of creating this repository), I achieved numerous top 3, top 5, and top 10 results, with several of my submissions being selected for inclusion in the final report.
You can find my Code4rena profile here.
| Contest | Findings | Ranking | Platform |
|---|---|---|---|
| Dodo V3 | 2 H | #5 | Sherlock |
| Chainlink Cross-Chain Contract Administration: Multi-signature Contract, Timelock and Call Proxies Contest | Non-public | #2 (joint) | Code4rena |
| Dinari | 1 M | #10 | Sherlock |
| Arcade | 1 M | #5 (joint) | Code4rena |
| Good Entry | 1 H, 2 L | #14 | Code4rena |
| Allo V2 | 1 H, 6 M | #21 | Sherlock |
| Wildcat Protocol | 2 H, 1 M, 2L | #11 | Code4rena |
| Kelp DAO / rsETH | 2 H, 1 M, 5L | #38 | Code4rena |
| Canto Application Specific Dollars and Bonding Curves for 1155s | 1 H, 1 M, 4L | #9 (joint) | Code4rena |
| Panoptic | 1 H (Report not yet public) | #8 | Code4rena |
| Revolution Protocol | 2 H, 3 M (Report not yet public) | #7 | Code4rena |
| Ubiquity | 1 M (Report will be added) | #4 | Sherlock |
| Vulnerability | Severity | Vulnerability Type | Protocol Type | Platform |
|---|---|---|---|---|
Anyone can sell other users' tokens as fromToken, and get the toToken's themselves due to decodeData.payer is never checked. |
High | Input validation | Leveraged Market Making | Sherlock |
_poolRepayAll() function updates the state incorrectly, which might cause the vault to be exploited. |
High | Incorrect state handling | Leveraged Market Making | Sherlock |
| Vulnerability | Severity | Vulnerability Type | Protocol Type | Platform |
|---|---|---|---|---|
Canceled order refunds should be sent to the requester, not the recipient. |
Medium | Loss of funds | Real world asset | Sherlock |
| Vulnerability | Severity | Vulnerability Type | Protocol Type | Platform |
|---|---|---|---|---|
Users who claimed an airdrop with a previous Merkle root won't be able to claim again even if they have more totalGrant in the new Merkle root. |
Medium | Incorrect state handling | NFT Lending Market | Code4rena |
| Vulnerability | Severity | Vulnerability Type | Protocol Type | Platform |
|---|---|---|---|---|
All withdrawals after the first one will burn users' liquidity for nothing when the pool is not enabled in GeVault::withdraw(). |
High | Loss of Funds | Perpetual Trading | Code4rena |
GeVault::modifyTick() doesn't check if the new ticks array is properly ordered. |
Low | Input validation | Perpetual Trading | Code4rena |
GeVault::pushTick() and GeVault::shiftTick() doesn't check if the tokenisableRange instance is ticker or ranger. |
Low | Input validation | Perpetual Trading | Code4rena |
- Note: Findings H-01 and M-01 below are selected for the final report.
| Vulnerability | Severity | Vulnerability Type | Protocol Type | Platform |
|---|---|---|---|---|
| Borrowers can escape from paying half of the penalty fees by closing the market, and those remaining penalty fees will be covered by the lender who withdraws last. | High | Loss of funds | Lending | Code4rena |
WildcatMarket::closeMarket() can never be called. |
High | Incorrect state handling | Lending | Code4rena |
| Blocked accounts keep earning interest contrary to the WhitePaper. | Medium | Unfair yield distribution | Lending | Code4rena |
| Tokens may still be stuck in the escrow contract even if the borrower overrides the sanction. | Low | Locked tokens | Lending | Code4rena |
| The total supply of the market tokens does not decrease after transfer to zero address. | Low | ERC20 | Lending | Code4rena |
- This contest had 3 High and 2 Medium findings. I found 2 of the 3 Highs and 1 of the 2 mediums.
| Vulnerability | Severity | Vulnerability Type | Protocol Type | Platform |
|---|---|---|---|---|
rsETH amount to mint calculation when depositing an asset in the LRTDepositPool::depositAsset() is incorrect, leading to an immediate loss of value. |
High | Loss of Funds | DAO | Code4rena |
rsETH price can be manipulated by directly transferring funds to the pool, and the first depositor can use it to steal from everyone. |
High | Price Manipulation | DAO | Code4rena |
Deposited amounts in the EigenLayer strategy should be checked before updating the strategy for the asset. |
Medium | Incorrect state handling | DAO | Code4rena |
| Contextual error when checking the balance deposited to EigenLayer may result in an incorrect deposit limit. | Low | Context | DAO | Code4rena |
LRTConfig::updateAssetDepositLimit() function doesn't check if the current deposits are greater than the new limit. |
Low | Context | DAO | Code4rena |
LRTDepositPool::addNodeDelegatorContractToQueue() function should check if the inputted array includes the same addresses. |
Low | Input validation | DAO | Code4rena |
LRTDepositPool::updateMaxNodeDelegatorCount should check the new count is not below the current delegator count. |
Low | Input validation | DAO | Code4rena |
ChainlinkPriceOracle::getAssetPrice() function should check the stale price. |
Low | Oracle | DAO | Code4rena |
QA Report with Low and NC findings can be found here.
- This contest 1 High and 2 Medium severity findings. I found 1/1 High and 1/2 Mediums.
| Vulnerability | Severity | Vulnerability Type | Protocol Type | Platform |
|---|---|---|---|---|
asD contract owner can not withdraw interests due to incorrect scaling factor. |
High | Locked Funds | Stable Coin | Code4rena |
| Buying and selling shares in the Market.sol is vulnerable to sandwich attacks. | Medium | Sandwich Attack | Stable Coin | Code4rena |
asD instances are vulnerable to reorg attack. |
Low | Reorg | Stable Coin | Code4rena |
Market::createNewShare() function should update the shareBondingCurves mapping. |
Low | Redundant state variable | Stable Coin | Code4rena |
Market::_splitFess() should split the shareholder fee to the protocol and creator when there are no tokens in circulation. |
Low | Context | Stable Coin | Code4rena |
Market::changeShareCreatorWhitelist should emit an event. |
Low | Event | Stable Coin | Code4rena |
QA Report with Low findings can be found here.
Chainlink Cross-Chain Contract Administration: Multi-signature Contract, Timelock and Call Proxies Contest (July 2023)
This contest didn't have any valid high or medium findings. The result of the contest was determined by the overall quality and the number of the downgraded submissions of the participants.
I was able to get a place in top 3 in this contest. The official contest page and the leaderboard can be found here.
Note: Findings of this contest are private and can not be shared.