Project | Website | Report | Security Rating |
---|---|---|---|
Wirex Part 2 | Wirex | Coming Soon | 9/10 |
Humanity Protocol | Humanity Protocol | Coming Soon | 9/10 |
Juicebox V4 Round 2 | JuiceBox | Coming Soon | 8/10 |
Juicebox | https://juicebox.money/ | Report | 8/10 |
Dein Finance | https://dein.fi | Report | 7/10 |
Mem Bridge (EVM to AO Bridge) | https://decent.land | Report | 7.5/10 |
Mem Bridge (Solidity, JS, Lua) | https://decent.land | Report | 8.5/10 |
Chad Finance | https://chadfinance.xyz | Report | 9.5/10 |
Prophet Bots | https://prophetbots.io | Report | 7/10 |
Seraph | https://www.seraph.game/#/main | Report | 10/10 |
Zero Finance | https://zerog.finance/ | Report | 7.8/10 |
Wirex | https://wirexapp.com/ | Report | N/A |
Contest | Platform | Rank |
---|---|---|
Chainlink | Code4rena | 🥇 1st |
KelpDao | Code4rena | 🥈 2nd |
Aloe V2 | Sherlock | 🥈 2nd |
Hubble Exchange | Sherlock | 🥉 3rd |
Unstoppable | Sherlock | 4th |
Ondo Finance | Code4rena | 4th |
Axelar | Code4rena | 6th |
These achievements demonstrate my expertise in identifying critical vulnerabilities and providing valuable insights across various blockchain projects. |
-
User can avoid paying high premium price by correctly timing his bond call
-
Inaccurate swap amount calculation in ReLP leads to stuck tokens and lost liquidity
Grade A analysis of protocol
-
One user can drain all the rewards from the bathBuddy
-
User can do an first deposit inflation attack on bathToken and can take away all the shares and rewards too.
-
Reward vesting formula is wrongly implemented and lead to wrong and unevenly distribution of rewards
-
Using
batchOffer()
andbatchQuote()
functions malicious user can disrupt the whole order book in his benefit and can drain the whole contract balance. -
Buy function transfers the assets to zero address for the offer where owner and recipient are both zero
-
Wrong use of block.number on optimism leads to wrong interest calculations and user may end up paying alot of interest or unable to close leverage position.
-
No deadline parameter in
sellAllAmount()
andbuyAllAmount()
functions
-
recipientsCounter
should start from 1 inDonationVotingMerkleDistributionBaseStrategy
-
Registry.sol
generate cloneAnchor.sol
never work. Profile owner cannot use theirAnchor
wallet
#Y2k Finance Findings
-
PriceOracle will use the wrong price if the Chainlink registry returns price outside min/max range
-
getPriceFromChainlink() doesn't check If Arbitrum sequencer is down in Chainlink feeds
-
Not using slippage parameter or deadline while swapping on UniswapV3
-
Lack of access control for
mintRebalancer()
andburnRebalancer()
The Proof of Concept (POC) for the recent thirdweb exploit: A simplified ERC20 version utilizing ERC2771 context and OpenZeppelin's Multicall, demonstrating the potential for an attacker to transfer anyone's tokens among other exploits. Participated in multiple contests and consistently ranked in the top 5, showcasing a strong understanding and skill set in smart contract security. Repo Link
You can connect with me at: