Audit Experience

Overview

Experienced security researcher & solidity white-hat with a robust two-year background in blockchain security. Started as a white-hat on Immunefi in late 2021, successfully addressing vulnerabilities in prominent protocols like AAVE and RAI (see Bug Bounties section), securing +33M USD live at risk. Current roles include Smart Contract Auditor at Oak Security/Solidified, ASR at Spearbit and Independent Security Researcher providing security services to top tier protocols.

I have successfully collaborated with protocols like Euler Finance and TapiocaDao implementing invariant testing suites for their codebases:

• https://www.euler.finance/blog/euler-and-spearbit-set-to-host-cryptos-largest-audit-competition, https://twitter.com/vn_martinez_/status/1771220621554303066?s=20
• https://twitter.com/twMattt/status/1769560402206040413?s=20

External Audits

Aave-token v3

• Company: Certora, AAVE
• Link: GitHub, Report
• Reflection: Identified a high-severity issue, won first place in AAVE grant.

Aave-starknet: bridge

• Company: Certora, AAVE
• Link: GitHub, Report
• Reflection: Implemented 18 formal rules, achieved sixth place in AAVE grant.

Blockswap Formal Verification

• Company: Certora
• Link: GitHub
• Reflection: Implemented 10 formal rules for Syndicate codebase.

Mauve & Violet: uniswap v3 fork with KYC

• Company: Oak Security/Solidified
• Link: Report

exit10: boostraping

• Company: yAcademy
• Link: Report

VMEX: AAVE v2 fork

• Company: yAcademy
• Link: Report
• Reflection: Found a unique high-severity issue.

Xaya Democrit, Gaming rollup L1 contracts

• Company: Oak Security/Solidified
• Link: Report

MaxApy (Assembly gas optimisation): DeFI strategies aggregator

• Company: Turing Consulting
• Link: Report Not Public, Website
• Reflection: Decreased gas costs up to 67% on main user functions.

Unlockd v2 (Gas optimisation): NFT borrowing and lending

• Company: Turing Consulting
• Link: Report Not Public, Twitter, GitHub
• Reflection: Reduced users' gas costs up to 36%.

HAI: Stablecoin, RAI fork on Optimism

• Company: Oak Security/Solidified
• Link: Report Not Public Yet, GitHub, Issue
• Reflection: Found two unique high-severity issues.

OpenDollar: Stablecoin

• Company: C4 contest
• Link: Contest Page
• Reflection: Despite my usual focus on bug bounties and security reviews, I came across a high-severity issue identified only by another warden. This finding earned a spot in the official report and achieved a noteworthy sixth place in the contest rankings.

Sablier: v2-core & v2-periphery changelog audit

• Company: Turing Consulting
• Link: GitHub, GitHub

Unhosted Wallet: AA wallet with defi integrations

• Company: Independent Audit
• Link: GitHub

Bug Bounties

July 2022

• Protocol: [HIGH] AAVE v3 token, DeFi Lending and Borrowing
• Link: Disclosure
• Reflection: Found a high-severity issue on the AAVE token, fixed by the AAVE team.

October 2023

• Protocol: [HIGH] RAI (debt auctions bug), non-pegged stable-coin
• Link: Write-up
• Reflection: Discovered a high-severity bug in RAI, leading to unintended overinflation.

November 2023

• Protocol: [HIGH] TAI (debt auctions bug), stablecoin
• Link: Private, Website
• Reflection: Addressed the identified bug in the TAI Company.

December 2023

• Protocol: [CRITICAL] RAI (liquidations DOS, GEB framework zero day), non-pegged stable-coin
• Link: Disclosure
• Reflection: Discovered a critical bug in the GEB framework of the RAI stablecoin, securing +33M of TVL at risk.

Public Content

Talks and Seminars

Delivered talks and seminars on EVM and smart contract security:

• [Calyptus] Mastering Fuzzing
• [Opensense] Low-level Vulnerabilities
• [Secureum: TrustX 2023] Tips to Master Fuzzing

Articles and Write-ups

Collection of articles on EVM and security, along with detailed write-ups of publicly disclosed bugs on blog:

• Celer cBridge Whitehat Cheat Sheet
• EVM: Degen Bit Masking
• RAI Debt Auctions Bug Write-up