Experienced security researcher and Solidity white-hat with over three years of expertise in blockchain security. Started as a white-hat researcher in 2021, successfully addressing vulnerabilities in prominent protocols like AAVE and RAI, safeguarding over $33M in live assets at risk (see Bug Bounties section). Co-founder of Enigma Dark, a leading Web3 security firm, serving as Lead Security Researcher and Main Fuzzing Engineer. Additional roles include Security Researcher at Spearbit and Smart Contract Auditor at Oak Security/Solidified.
Involved in fuzz and invariant testing research, I have successfully collaborated with protocols like Euler Finance, AAVE, Silo Finance, Flower Money and TapiocaDao implementing invariant testing suites for their codebases:
- https://www.euler.finance/blog/euler-and-spearbit-set-to-host-cryptos-largest-audit-competition, https://twitter.com/vn_martinez_/status/1771220621554303066?s=20
- https://twitter.com/twMattt/status/1769560402206040413?s=20
- Company: Certora, AAVE
- Link: GitHub, Report
- Reflection: Identified a high-severity issue, won first place in AAVE grant.
- Company: Certora, AAVE
- Link: GitHub, Report
- Reflection: Implemented 18 formal rules, achieved sixth place in AAVE grant.
- Company: Certora
- Link: GitHub
- Reflection: Implemented 10 formal rules for Syndicate codebase.
- Company: Oak Security/Solidified
- Link: Report
- Company: yAcademy
- Link: Report
- Company: yAcademy
- Link: Report
- Reflection: Found a unique high-severity issue.
- Company: Oak Security/Solidified
- Link: Report
- Company: Turing Consulting
- Link: Report Not Public, Website
- Reflection: Decreased gas costs up to 67% on main user functions.
- Company: Turing Consulting
- Link: Report Not Public, Twitter, GitHub
- Reflection: Reduced users' gas costs up to 36%.
- Company: Oak Security/Solidified
- Link: Report Not Public Yet, GitHub, Issue
- Reflection: Found two unique high-severity issues.
- Company: C4 contest
- Link: Contest Page
- Reflection: Despite my usual focus on bug bounties and security reviews, I came across a high-severity issue identified only by another warden. This finding earned a spot in the official report and achieved a noteworthy sixth place in the contest rankings.
- Company: Independent Audit
- Link: GitHub
- Protocol: [HIGH] AAVE v3 token, DeFi Lending and Borrowing
- Link: Disclosure
- Reflection: Found a high-severity issue on the AAVE token, fixed by the AAVE team.
- Protocol: [HIGH] RAI (debt auctions bug), non-pegged stable-coin
- Link: Write-up
- Reflection: Discovered a high-severity bug in RAI, leading to unintended overinflation.
- Protocol: [HIGH] TAI (debt auctions bug), stablecoin
- Link: Private, Website
- Reflection: Addressed the identified bug in the TAI Company.
- Protocol: [CRITICAL] RAI (liquidations DOS, GEB framework zero day), non-pegged stable-coin
- Link: Disclosure
- Reflection: Discovered a critical bug in the GEB framework of the RAI stablecoin, securing +33M of TVL at risk.
Delivered talks and seminars on EVM and smart contract security:
- [Calyptus] Mastering Fuzzing
- [Opensense] Low-level Vulnerabilities
- [Secureum: TrustX 2023] Tips to Master Fuzzing
Collection of articles on EVM and security, along with detailed write-ups of publicly disclosed bugs on blog: