SC Campaign 6, Sentiment V2

Sherlock bug bounty · $150K max · 23 agents · May 14, 2026

Findings verified

4 of 5

1 critical, 1 high, 2 medium

Expected value (0.3x)

$5.6K-$18.7K

Net after $1,250 submission cost

Kill rate

98%

250+ raw became 5 submittable

Forge PoC

6/6 PASS

S-01 AggV3Oracle negative price

Verified findings

ID	Finding	Severity	Rating	Confidence	Verification	Submit
S-02	HyperliquidUsdcOracle ETH_INDEX=4 is DYDX, not ETH (15,000x overvaluation)	Critical	10/10	99%	Mainnet API	YES
S-04	RedstoneOracle ms/seconds mismatch, staleness check 100% broken	High	9/10	95%	Source Code	YES
S-01	AggV3Oracle missing negative/zero price check (pattern gap vs sister contracts)	Medium	8/10	99%	Forge 6/6	YES
S-03	Hyperliquid Oracle zero price validation missing (division by zero DoS)	Medium	7/10	90%	Pattern Match	YES
S-05	SuperPool cannot force-remove paused pool (funds locked)	Medium	6/10	80%	Logical	MAYBE

Finding write-ups

S-02 HyperliquidUsdcOracle, critical (10/10)

Bug

ETH_INDEX = 4 in HyperliquidUsdcOracle.sol, but index 4 on Hyperliquid mainnet is DYDX ($0.15), not ETH ($2,269).

Impact

getValueInEth() divides the USDC amount by the DYDX price instead of the ETH price. That's a 15,127x overvaluation of USDC collateral, which opens unlimited undercollateralized borrowing and drives the protocol insolvent.

Verification

Confirmed across 4 independent sources. The Hyperliquid mainnet API (meta endpoint), metaAndAssetCtxs live prices, the on-chain precompile at 0x0806, and the official GitHub repo all agree.

Sister contract

HyperliquidOracle.sol gets it right with ETH_INDEX = 1.

S-04 RedstoneOracle, high (9/10)

Bug

getOracleNumericValuesAndTimestampFromTxMsg() returns the timestamp in milliseconds. It gets stored raw as priceTimestamp, then compared against block.timestamp (seconds) in the staleness check.

Impact

priceTimestamp (~1.7 trillion) is always greater than block.timestamp - 3600 (~1.7 billion). So the staleness check never triggers and arbitrarily stale prices sail through.

Verification

Redstone source code shows RedstoneDefaultsLib.validateTimestamp(uint256 receivedTimestampMilliseconds) dividing by 1000 on purpose. Sentinel V2's prior audited version used block.timestamp directly, so this is a regression introduced after the audit.

S-01 AggV3Oracle, medium (8/10)

Bug

_getPrice() casts int256 answer to uint256 without checking answer <= 0. The sister contracts ChainlinkEthOracle (L116) and ChainlinkUsdOracle (L135) both check it.

Impact

A zero price values the asset at 0, which triggers unfair liquidation. A negative price causes an arithmetic panic, which is a DoS. No graceful error handling either way.

Verification

Forge PoC passes 6 of 6 tests. For audit precedent, see Sherlock WooFi #22 (Medium) and C4 Juicebox #78 (Medium).

Expected value breakdown

S-02

$12.8K-$42.5K (85%)

S-04

$4K-$12K (80%)

S-01

$0.9K-$4.5K (90%)

S-03

$0.75K-$2.25K (75%)

S-05

$0.3K-$1.2K (60%)

Total raw EV $18.8K-$62.5K 0.3x reality discount $5.6K-$18.7K · submission cost $1,250 · net $4.4K-$17.5K

Agent deployment, 20 audit plus 3 verification

R1 Prior Audit

38K tok · 40 calls

R2 Scope/Changes

34K tok · 44 calls

A3 Pool Core

45K tok · 22 calls

A4 PositionMgr

58K tok · 25 calls

A5 Oracle Surface

52K tok · 30 calls

A6 SuperPool

48K tok · 28 calls

A7 RiskEngine

42K tok · 20 calls

A8 Liquidation

50K tok · 24 calls

A9 Reentrancy

98K tok · 29 calls

A10 Access Ctrl

40K tok · 18 calls

A11 ERC-6909

35K tok · 15 calls

A12 IRM

30K tok · 12 calls

A13 Borrow/Repay

53K tok · 18 calls

A14 Hyperliquid

44K tok · 33 calls

A15 AggV3/Meta

63K tok · 38 calls

A16 Flow Trace

65K tok · 10 calls

A17 X-Contract

97K tok · 30 calls · KEY

A18 Math Prec

89K tok · 25 calls

A19 Post-Audit

116K tok · 57 calls · KEY

A20 Economic

63K tok · 15 calls

V1 HL ETH_INDEX

38K · CRITICAL FIND

V2 Redstone ms

43K · HIGH FIND

V3 CL Negative

42K · Precedent confirmed

Compute usage summary

This session

~1.55M tokens

~805 tool calls across 23 agents

Model Claude Opus 4.6, all agents

DeepSeek $29.95 unburned, not configured

Forge 6/6 tests compiled and passed

Est. API cost ~$25-35

Campaign comparison

Metric	C5	C6
Agents	8	23
Tokens	550K	1.55M
Findings	2-5	4-5
Raw EV	$9K	$5.6-18.7K
Forge PoC	No	Yes
X-Contract	No	Yes

Pipeline evolution, lessons applied

Campaign 5 lesson Cross-contract mitigations kill findings (H-01 died in 30s).
Applied. Agent 17 (cross-contract tracer) killed 15+ false positives.

Campaign 5 lesson Always run a forge PoC before rating above 6/10.
Applied. S-01 forge PoC 6/6 PASS, behavior correctly characterized.

Campaign 4 lesson Dedup against prior audits before investing in a PoC.
Applied. 26 prior findings matched, 98% kill rate.

New Mainnet verification for on-chain constants.
Result. S-02 upgraded 7/10 to 10/10 critical.

New Source code verification for external dependencies.
Result. S-04 upgraded 50% to 95% confidence.

Generated by Autonomous SC Audit Pipeline v2 · 23 Claude Opus 4.6 agents · May 14, 2026