d3e4
Rankings
#48 2024
#90 All-time
#408 90-day
High-risk
21 Total
1 Solo
Medium-risk
51 Total
6 Solo
Activity
43 Audits
February 2025
7 February 2025
Next Generation
Identified 1 confirmed finding
Finding not yet public
August 2024
6 August 2024
TraitForge
Medium-risk
Identified a finding grouped with:
Potential Uninitialized `entropySlots` Reading in `getNextEntropy`, Causing 0 Entropy MintJuly 2024
15 July 2024
DittoETH Invitational
High-risk
Identified a finding grouped with:
Incorrect accounting bug of the `yDUSD` vault leads to total loss of depositors' `DUSD` assetsHigh-risk
Selected for report
1 July 2024
Krystal DeFi Invitational
Medium-risk
Identified a finding grouped with:
Swapping logic would be broken for some supported tokensMedium-risk
Selected for report
May 2024
17 May 2024
NOYA
Medium-risk
Identified a finding grouped with:
First depositor can make subsequent depositor lose all of her or his depositMedium-risk
Selected for report
Medium-risk
Identified a finding grouped with:
`performanceFeeReceiver` cannot mint any performance fee shares even if TVL is dropped by only a very tiny amountMedium-risk
Identified a finding grouped with:
`AccountingManager` contract's `previewDeposit`, `previewMint`, `previewWithdraw`, and `previewRedeem` functions are not compliant with EIP-4626 standardMedium-risk
Identified a finding grouped with:
`AccountingManager` contract's `previewDeposit`, `previewMint`, `previewWithdraw`, and `previewRedeem` functions are not compliant with EIP-4626 standardMedium-risk
Identified a finding grouped with:
`AccountingManager` contract's `previewDeposit`, `previewMint`, `previewWithdraw`, and `previewRedeem` functions are not compliant with EIP-4626 standardMedium-risk
Identified a finding grouped with:
`AccountingManager` contract's `previewDeposit`, `previewMint`, `previewWithdraw`, and `previewRedeem` functions are not compliant with EIP-4626 standardMedium-risk
Identified a finding grouped with:
`maxDeposit`, `maxMint`, `maxWithdraw`, and `maxRedeem` functions do not return 0 when they shouldMedium-risk
Identified a finding grouped with:
`maxDeposit`, `maxMint`, `maxWithdraw`, and `maxRedeem` functions do not return 0 when they shouldMedium-risk
Identified a finding grouped with:
`maxDeposit`, `maxMint`, `maxWithdraw`, and `maxRedeem` functions do not return 0 when they shouldMedium-risk
Identified a finding grouped with:
`maxDeposit`, `maxMint`, `maxWithdraw`, and `maxRedeem` functions do not return 0 when they should
10 May 2024
HODL Invitational
Identified 4 confirmed findings
Finding not yet public
8 May 2024
Renzo
High-risk
Identified a finding grouped with:
Withdrawals logic allows MEV exploits of TVL changes and zero-slippage zero-fee swapsMedium-risk
Identified a finding grouped with:
stETH/ETH Feed being used opens up to 2 way deposit<->withdrawal arbitrage
8 May 2024
LoopFi
April 2024
25 April 2024
DYAD
Medium-risk
Identified a finding grouped with:
Value of kerosene can be manipulated to force liquidate usersMedium-risk
Identified a finding grouped with:
Incorrect deployment / missing contract will break functionalityHigh-risk
Identified a finding grouped with:
Inability to perform partial liquidations allows huge positions to accrue bad debt in the systemHigh-risk
Identified a finding grouped with:
Unable to withdraw Kerosene from `vaultmanagerv2::withdraw` as it expects a `vault.oracle()` method which is missing in Kerosene vaults
18 April 2024
AI Arena Mitigation Review
Medium-risk
Selected for report
Medium-risk
Identified a finding grouped with:
Players can exploit `mintFromMergingPool` dna calculation to mint rare fighterMedium-risk
Selected for report
5 April 2024
DittoETH
3 April 2024
Canto Invitational
High-risk
Identified a finding grouped with:
Dual transaction nature of composed message transfer allows anyone to steal user fundsMarch 2024
11 March 2024
PoolTogether
High-risk
Identified a finding grouped with:
Any fee claim lesser than the total `yieldFeeBalance` as unit of shares is lost and locked in the `PrizeVault` contractMedium-risk
Selected for report
Medium-risk
Selected for report
Medium-risk
Identified a finding grouped with:
`_maxYieldVaultWithdraw()` uses `yieldVault.convertToAssets()`February 2024
21 February 2024
AI Arena
High-risk
Identified a finding grouped with:
Malicious user can stake an amount which causes zero curStakeAtRisk on a loss but equal rewardPoints to a fair user on a winMedium-risk
Identified a finding grouped with:
Can mint NFT with the desired attributes by reverting transactionHigh-risk
Identified a finding grouped with:
Players have complete freedom to customize the fighter NFT when calling `redeemMintPass` and can redeem fighters of types Dendroid and with rare attributesMedium-risk
Selected for report
High-risk
Identified a finding grouped with:
Fighters cannot be minted after the initial generation due to uninitialized `numElements` mappingMedium-risk
Identified a finding grouped with:
Can mint NFT with the desired attributes by reverting transactionHigh-risk
Identified a finding grouped with:
Since you can reroll with a different fighterType than the NFT you own, you can reroll bypassing maxRerollsAllowed and reroll attributes based on a different fighterTypeMedium-risk
Identified a finding grouped with:
Fighter created by mintFromMergingPool can have arbitrary weight and elementHigh-risk
Identified a finding grouped with:
A locked fighter can be transferred; leads to game server unable to commit transactions, and unstoppable fighters
19 February 2024
Althea Liquid Infrastructure
Medium-risk
Identified a finding grouped with:
Distribution can be bricked, and double claims by a few holders are possible when owner calls `LiquidInfrastructureERC20::setDistributableERC20s`High-risk
Identified a finding grouped with:
Holders array can be manipulated by transferring or burning with amount 0, stealing rewards or bricking certain functionsJanuary 2024
16 January 2024
Curves
Medium-risk
Identified a finding grouped with:
onBalanceChange causes previously unclaimed rewards to be clearedHigh-risk
Identified a finding grouped with:
Unrestricted claiming of fees due to missing balance updates in `FeeSplitter`Medium-risk
Identified a finding grouped with:
Selling will be bricked if all other tokens are withdrawn to ERC20 tokenHigh-risk
Identified a finding grouped with:
Whitelised accounts can be forcefully DoSed from buying curveTokens during the presaleNovember 2023
17 November 2023
Canto Application Specific Dollars and Bonding Curves for 1155s
Medium-risk
Identified a finding grouped with:
Users will lose rewards when buying new tokens if they already own some tokens
15 November 2023
Kelp DAO | rsETH
October 2023
30 October 2023
Ethena Labs
Medium-risk
Identified a finding grouped with:
Malicious users can front-run to cause a denial of service (DoS) for StakedUSDe due to MinShares checksMedium-risk
Identified a finding grouped with:
Malicious users can front-run to cause a denial of service (DoS) for StakedUSDe due to MinShares checks
26 October 2023
The Wildcat Protocol
25 October 2023
Asymmetry Finance afETH Mitigation Review
Medium-risk
Identified a finding grouped with:
[ADRIRO-NEW-M-02] AfEth withdrawals are delayed even if the vAfEth withdrawal amount is zeroHigh-risk
Identified a finding grouped with:
[ADRIRO-NEW-H-01] VotiumStrategy withdrawal can still be executed with minimal delayMedium-risk
Selected for report
Medium-risk
Identified a finding grouped with:
[ADRIRO-NEW-M-01] Manager authorization in VotiumStrategy still leaves room for unprotected accessMedium-risk
Identified a finding grouped with:
[ADRIRO-NEW-H-03] Invalid operation in `withdrawStuckTokens()` will break CVX balance tracking in VotiumStrategyMedium-risk
Selected for report
September 2023
27 September 2023
Asymmetry Finance afETH Invitational
High-risk
Identified a finding grouped with:
`price()` in `AfEth.sol` doesn't take afEth held for pending withdrawals into accountHigh-risk
Identified a finding grouped with:
`price()` in `AfEth.sol` doesn't take afEth held for pending withdrawals into accountHigh-risk
Identified a finding grouped with:
Functions in the `VotiumStrategy` contract are susceptible to sandwich attacksHigh-risk
Selected for report
Medium-risk
Identified a finding grouped with:
VotiumStrategy withdrawal queue fails to consider available unlocked tokens causing different issues in the withdraw processHigh-risk
Identified a finding grouped with:
AfEth deposits could use price data from an invalid Chainlink responseMedium-risk
Identified a finding grouped with:
Swap functionality to sell rewards is too permissive and could cause accidental or intentional loss of valueHigh-risk
Identified a finding grouped with:
Zero amount withdrawals of SafEth or Votium will brick the withdraw processAugust 2023
28 August 2023
Shell Protocol
March 2023
30 March 2023
Asymmetry contest
High-risk
Identified a finding grouped with:
An attacker can manipulate the preDepositvePrice to steal from other users.High-risk
Identified a finding grouped with:
Reth.sol: Withdrawals are unreliable and depend on excess RocketDepositPool balance which can brick the whole protocolMedium-risk
Identified a finding grouped with:
Missing derivative limit and deposit availability checks will revert the whole `stake()` functionMedium-risk
Selected for report
Medium-risk
Identified a finding grouped with:
Stuck ether when use function `stake` with empty `derivatives`(`derivativeCount` = 0)
20 March 2023
Canto Identity Subprotocols contest
Medium-risk
Selected for report
Medium-risk
Selected for report
Medium-risk
Selected for report
9 March 2023
Wenwin contest
Medium-risk
Identified a finding grouped with:
Unsafe casting from `uint256` to `uint16` could cause ticket prizes to become much smaller than intendedMedium-risk
Identified a finding grouped with:
Possibility to steal jackpot bypassing restrictions in the executeDraw()
7 March 2023
Ethos Reserve contest
Medium-risk
Identified a finding grouped with:
``lastFeeOperationTime`` is not modified correctly in function ``_updateLastFeeOpTime()``, resuling a much slower decay model for borrowing base rateNovember 2022
10 November 2022
Debt DAO contest
Medium-risk
Identified a finding grouped with:
address.call{value:x}() should be used instead of payable.transfer()Medium-risk
Identified a finding grouped with:
Borrower/Lender excessive ETH not refunded and permanently locked in protocolOctober 2022
30 October 2022
Inverse Finance contest
Medium-risk
Identified a finding grouped with:
Chainlink oracle data feed is not sufficiently validated and can return stale `price`Medium-risk
Identified a finding grouped with:
Protocol withdrawals of collateral can be unexpectedly locked if governance sets the `collateralFactorBps` to 0.
25 October 2022
Holograph contest
High-risk
Identified a finding grouped with:
An attacker can manipulate each pod and gain an advantage over the remainder OperatorsMedium-risk
Selected for report
Medium-risk
Identified a finding grouped with:
`_payoutEth()` calculates `balance` with an offset, always leaving dust `ETH` in the contract
23 October 2022
3xcalibur contest
Identified 1 confirmed finding
Finding not yet public
12 October 2022
The Graph L2 bridge contest
Medium-risk
Selected for report
10 October 2022
Blur Exchange contest
High-risk
Identified a finding grouped with:
StandardPolicyERC1155.sol returns amount == 1 instead of amount == order.amountSeptember 2022
23 September 2022
VTVL contest
Medium-risk
Identified a finding grouped with:
Supply cap of VariableSupplyERC20Token is not properly enforced
15 September 2022
Nouns Builder contest
1 September 2022
Olympus DAO contest
Medium-risk
Selected for report