Awesome
All my Security Audits, Reviews and Contributions
Public Audits & Bug Bounties Stats
I participate on public audit platforms like Code4rena, Sherlock and Hats Finance. Till now I have :
- Participated in 20+ public audits
- Reported 50+ High and Medium severity bugs
Top public audits
| Audit Contest | Rank | Results |
|---|---|---|
| Ondo Finance | 1st | link |
| Gravita Protocol | 1st | link |
| Aragon Protocol | 4th | link |
| Pool Together | 4th | link |
| Caviar Protocol | 7th | link |
| Reserve Protocol | 9th | link |
All my public bug reports can be found in public-audits.
Interesting bugs that I have found
-
First deposit bug in Ondo Finance (fork of Compound V2).
The report shows how a token balance inflation attack can be performed on the protocol to steal user's deposit. More details in my blog post here and in the report.
-
Broken fallback price mechanism in Gravita Protocol
The report demonstrate the broken fallback price oracle implementation of the protocol which can lead to protocol suffering a complete DoS. More details in the report.
-
Incorrect implementation of cross-chain smart contract system in PoolTogether protocol.
This report shows how an incorrect implementation of cross chain system can cause loss of funds to the connecting transport layer. More details in the report.
-
Critical monetary loss bug in GoGoPool (an Ethereum staking protocol).
This report shows how the funds staked by users in the staking protocol can be nullified by an attacker causing loss of funds to users. More details in the report.
-
Frontrunning the use of CREATE2 in Caviar protocol.
This report demonstrates how the inefficient use of CREATE2 can be exploited by front-running to steal user's funds. More details in the report.
Some of my High severity findings
| Audit Contest | Finding | Details |
|---|---|---|
| Caviar Protocol | Funds can be stolen from pool due to inefficient royalty distribution | link |
| Rabbithole Protocol | withdrawRemainingTokens and withdrawFee functions can be used to pull out user funds | link |
| GoGoPool Protocol | Funds of Node Operators can be nullified by any attacker | link |
| Escher Protocol | Loss of ETH for NFT buyers | link |
Beyond these reports, some of my findings has been kept private on protocol's requests. Results of some public audit contests and bounties are still pending, I'll add those once they are announced.
Private Audits
All my private audit contributions can be found in private-audits.