whoamiHi! I am a Zero-Day AI Security Researcher. I break AI agents, LLM tool-calling pipelines, and sandboxed code-execution environments. Previously: Web3 smart contracts (Solidity, Rust, Go, Motoko), L1/L2/bridges/VMs, web & API security, and cloud reviews (AWS, GCP). Sometimes, I am developing open-source tools & sharing personal research.
[Critical] Scroll Chain DoS via CCC Overflows in Single User Transactions
WalletConnect: Submitting malicious transactions into crypto wallet on behalf of any dApp
Sperax: USDs - Quantstamp audit
Venus: Liquidator - Quantstamp audit
HashPack: Hedera Crypto Wallet - Quantstamp audit
Boba: NFT Bridges And LP Floating Fee - Quantstamp audit
OasisSwap: AMM (SushiSwap v2 fork) - Quantstamp audit
Obol: Charon Distributed Validator Client - Quantstamp audit
Chainlink: CCIP and ARM Network - Code4rena
Chainlink: Staking v0.2 - Code4rena
Review of 2,000,000$ vulnerability within the Optimism VM
Phishing and credential harvesting in Electron applications
1-click RCE in Electron Applications
0-click RCE in Electron Applications
GSuite domain takeover through delegation
Finding broken access controls through source code in .NET applications
Finding SQL Injections through source code in .NET applications
Report for HackerOne Grinch CTF 2020