About Me
A blockchain security researcher, started my journey in April, 2023. I participated in various audit contests on Sherlock and Code4Arena, with multiple top 3 or top 5 contest rankings.
Aside from auditing, I also developed a vulnerability detector bot equipped with custom detectors, which I continuously maintained.
I come from an architecture and engineering background and shifted my focus from the physical environment to the ever-changing landscape of blockchain security.
Tools I used:
- Solidity
- Foundry
- Hardhat/Truffle
- Typescript/Javascript
- Python
What I've audited
Audit Competition as oakcobalt @ code4rena
Oct 2023
View Repo Here
- Analysis report rated grade A;
- H/M Findings;
Audit Competition as oakcobalt @ Code4rena
Aug 2023
View Repo Here
- Ranked No.3 in Competition. See contest page;
- Analysis report rated grade A;
Audit Competition as oakcobalt @ Code4rena
Jul 2023
View Repo Here
- Ranked No.3 in Competition. See contest page.
- Analysis report rated grade A;
- QA report graded A.
- Gas report graded A.
Audit Competition as branch_indigo @ Sherlock
June 2023
View Repo Here
- Ranked No.3 in Competition, out of 155 participants. See contest page.
Audit Competition as branch_indigo @ Sherlock
June 2023
View Repo Here
- Ranked No.4 in Competition, out of 271 participants. See contest page.
Audit Competition as branch_indigo @ Sherlock
April 2023
View Repo Here
- Ranked No.7 in Competition, out of 230 participants. See contest page.
Some of my analysis & findings
Featured
Venus Prime (2023-10)
Category: defi;
Primitives: yield farming;
Analysis Report:
My report is rated grade A and is focused on edge cases of reward accounting system, especially how different user balance changes or global parameter changes might result in inconsistency and errors in rewards. See report
H/M Findings:
QA(grade-b): See report
Gas(grade-b): See report
SLOC: 1039
- Hardhat
Featured
Shell Protocol Audit (2023-08)
Category: defi;
Primitives: Bounding curve calculation;
Analysis Report:
My report is rated grade-A and is focused on the control of bonding curve in code implementation. This concerns the flow of calculate input and output token amounts for token swap, as well as initial set up of curve parameters. See report.
H/M Findings:
SLOC: 460
- Foundry
- Hardhat
Featured
veRWA Protocol Audit (2023-08)
Category: defi;
Primitives: voting-escrow;
H/M Findings:
- High: Malicious user can drastically increase their voting power by delegate to another account managed by self with a dust amount in lock
- High: Contrary to sponsor's intent, the gauge's weight will not be updated properly if governance do not change weight before any voting
QA(grade-a): See report
SLOC: 749
- Foundry
Featured
Basin Protocol Audit (2023-07)
Category: defi;
Primitives: Liquidity pools, Oracles;
Analysis Report:
My report is rated grade A and is focused on various aspects of the protocol such as auditing approach, architecture, codebase quality, centralization risks, mechanism, systemic risks. See report.
H/M Findings:
- High: Users can bypass reserve update to MultiFlowPump by directly trading through shift()
- Medium: (Solo) Single hardcoded cap used for multiple tokens in a pump causing some assets to be more stale, while having no effects on other stable assets
QA(grade-a): See report
Gas(grade-a): See report
SLOC: 1145
- Foundry
- Hardhat
Featured
Ajna Protocol Audit (2023-06)
Category: defi;
Primitives: Borrowing and Lending, Oracleless;
H/M Findings:
- Medium: (Selected for report) Lenders lose interests and pay deposit fees due to no slippage control
SLOC: 5659
- Foundry
Featured
Iron Bank Audit (2023-06)
Category: defi;
Primitives: AMM, borrow and lending, oracles;
H/M Findings:
- Medium: (Solo) Wrong Price will be Returned When Asset is PToken for WstETH
- Medium: Price Oracle Data Freshness Not Checked, Stale Price Might be Used to Price Borrow and Liquidate
- Medium: Missing checks for whether L2 Sequencer is active
SLOC: 2241
- hardhat
Featured
Teller Protocol Audit (2023-04)
Category: defi;
Primitives: AMM, borrow and lending;
H/M Findings:
- Medium: (Solo) Premature Liquidation When a Borrower Pays early
SLOC: 1428
- Hardhat
Other Projects
View Complete List of Projects/CodesDamn Vulnerable Defi V3 Solutions
I completed Damn Vulnerable Defi V3 challenges - A series of solidity hacking games created by @tinchoabbate. The native test environment uses hardhat framework with ether js. The linked github repo contains my solution walk-through and test codes to each challenge. V3 included several revisions to V2 challenges based on latest security breaches in the blockchain space, along with added three new challenges: Wallet Mining, Puppet V3, and ABI Smuggling. During my test process, I tried to identify all vulnerabilities in the contracts and also envisioned fixes to prevent future hacks.
Pretty Faces Live Drop
Pretty Faces Paperwhite release is a NFT creation and minting project. The NFT token contract is built and adapted to support Opensea open registry and meta transactions on Polygon mainnet. The frontend component of this project shows countdown to NFT drop and supports live minting and viewing of minted NFTs.
What's Next?
Get In Touch
My inbox is always open. Whether you have a question or just want to say hello, I'll try my best to get back to you! Feel free to mail me about any relevant job updates.