I am an offensive cybersecurity professional with more than 8 years in the industry. Since more than 2.5 years present in web3 (blockchain) industry, auditing Smart Contracts and assessing security of other blockchain-related tech. I am specialized in EVM (Solidity), additionally I have experience with Rust-based languages such as CosmWasm, Move, NEAR and Solana. I am also familiar with blockchain-related technologies such as blockchain-specific web2 threats, auditing wallets, metamask snaps and backend infrastructure, discord and telegram bots and any other hybrid web2/3 solutions.
Scored several TOP10 places in contests such as Sherlock and Code4Arena under the nickname ArmedGoose. In the past I worked for web3 firms Halborn and Binance, where I performed multiple smart contract audits. Currently, auditing smart contracts at Sayfer, Oak Security, Hashlock.
Contest results - participating as ArmedGoose
| Date | Platform | Protocol | Position | Findings |
|---|---|---|---|---|
| April 2024 | Code4Arena | DYAD | N/A | 2H, 3M |
| March 2024 | Code4Arena | Spectra | 2 | 1M |
| December 2023 | Code4Arena | Revolution Protocol | 9 | 1H, 1M |
| October 2023 | Sherlock | Real Wagmi #2 | 6 | 1M |
| September 2023 | Code4Arena | Dopex | N/A | 1M |
| September 2023 | Sherlock | Allo V2 / Gitcoin | N/A | 2M |
| August 2023 | Sherlock | Dinari | 17 | 1M |
| January 2023 | Code4Arena | RabbitHole Quest Protocol | 18 | 1H, 2M |
| Protocol Name | Tech | Report Link |
|---|---|---|
| Dexlyn Bridge | Move | Report |
| Balanced Network | Move | Report |
| U2U Mobile Wallet | Mobile App | Report |
| Magma Core | CosmWasm | Report |
| SendIt | CosmWasm | Report |
| Astroport Updates | CosmWasm | Report |
| Dark Mythos | Solidity | Report |
| Cypher Autoload | Solidity | Report |
| Hydro Protocol | CosmWasm | Report |
| MELD | Solidity | Report |
| Hello Labs - Bridge | Solana | Report |
| Satay Finance | Move | Report |
| Pontem Network - Liquidswap | Move | Report |
| Topic | Date | Link |
|---|---|---|
| MOVE demystified part 3 | 2024 | Medium |
| MOVE demystified part 2 | 2024 | Medium |
| MOVE demystified part 1 | 2024 | Medium |
| Deep dive into ERC4626 issues | 2024 | Medium |
| Proxy vulnerabilities part 2 | 2023 | Medium |
| Proxy vulnerabilities part 1 | 2023 | Medium |
| Ethereum signatures for hackers | 2023 | Medium |
| A guide to reentrancy | 2023 | Medium |
0 day vulnerabilities found which were assigned CVE numbers - mostly web applications
| CVE | Description | Details |
|---|---|---|
| CVE-2017-1181 CVE-2017-1183 CVE-2017-11821 |
IBM TEP Server - SQL Injection, Authorization Bypass, OS Command Injection | Security advisory |
| CVE-2017-10059 | Oracle BI Publisher - Stored XSS | Security advisory |
| CVE-2017-10060 | Oracle BI Publisher XXE | Security advisory |
| CVE-2017-10068 CVE-2018-2651 CVE-2018-2652 CVE-2018-2653 CVE-2018-2695 |
BI Publisher, PeopleSoft Enterprise PeopleTools XSS, XXE, SSRF, XSLT execution | Security advisory |
| CVE-2017-1631 | Tivoli Netcool/OMNIbus WebGUI CSRF | Security advisory |
| CVE-2018-6498 CVE-2018-6499 |
Microfocus - AutoPass License Server Remote Code Execution | Security advisory |
| CVE-2020-2563 | Oracle Hyperion Cross-Site Scripting | Security advisory |
| CVE-2019-2932 | Oracle PeopleSoft Tree Manager SSRF | Security advisory |
| CVE-2020-5907 | F5 TMOS Shell privilege escalation vulnerability | Security advisory |
| CVE-2021-21558 CVE-2021-21559 |
Dell EMC NetWorker information disclosure & vulnerability in SSL validation logic | Security advisory |