/audits

All my Security Audits, Reviews and Contributions

All my Security Audits, Reviews and Contributions

Public Audits & Bug Bounties Stats

I participate on public audit platforms like Code4rena, Sherlock and Hats Finance. Till now I have :

  • Participated in 20+ public audits
  • Reported 50+ High and Medium severity bugs

Top public audits

Audit Contest Rank Results
Ondo Finance 1st link
Gravita Protocol 1st link
Aragon Protocol 4th link
Pool Together 4th link
Caviar Protocol 7th link
Reserve Protocol 9th link

All my public bug reports can be found in public-audits.

Interesting bugs that I have found

  • First deposit bug in Ondo Finance (fork of Compound V2).

    The report shows how a token balance inflation attack can be performed on the protocol to steal user's deposit. More details in my blog post here and in the report.

  • Broken fallback price mechanism in Gravita Protocol

    The report demonstrate the broken fallback price oracle implementation of the protocol which can lead to protocol suffering a complete DoS. More details in the report.

  • Incorrect implementation of cross-chain smart contract system in PoolTogether protocol.

    This report shows how an incorrect implementation of cross chain system can cause loss of funds to the connecting transport layer. More details in the report.

  • Critical monetary loss bug in GoGoPool (an Ethereum staking protocol).

    This report shows how the funds staked by users in the staking protocol can be nullified by an attacker causing loss of funds to users. More details in the report.

  • Frontrunning the use of CREATE2 in Caviar protocol.

    This report demonstrates how the inefficient use of CREATE2 can be exploited by front-running to steal user's funds. More details in the report.

Some of my High severity findings

Audit Contest Finding Details
Caviar Protocol Funds can be stolen from pool due to inefficient royalty distribution link
Rabbithole Protocol withdrawRemainingTokens and withdrawFee functions can be used to pull out user funds link
GoGoPool Protocol Funds of Node Operators can be nullified by any attacker link
Escher Protocol Loss of ETH for NFT buyers link

Beyond these reports, some of my findings has been kept private on protocol's requests. Results of some public audit contests and bounties are still pending, I'll add those once they are announced.

Private Audits

All my private audit contributions can be found in private-audits.