Projects
- clairvoyance obtain GraphQL API schema even if the introspection is disabled
- pwnhub how GitHub Actions workflows can be hacked
- orgs-data mapping from bug bounty and vulnerability disclosure programs to respective GitHub organizations
Smart Contract Audits
- Uniswap v4 Core Audit
- Snapshot X Starknet Audit
- Compound Comprehensive Protocol Audit
- 1inch Limit Order Settlement Audit
- 1inch Limit Order Protocol Diff Audit
- ZK Email Account Recovery – Security Review Report
- Nodle Network Smart Contracts – Security Review Report
- Across V3 Incremental Audit
- Across V2 Incremental Audit
- UMA Across V2 Diff Audit 2023
- ANZ Bank’s $30 million stablecoin transaction secured by OpenZeppelin
- Neptune Mutual Audit
- UMA Optimistic Governor Audit
- Mantle Node, Batcher, Proposer, and Tooling Incremental Audit
- Origin OGV and OGN Merge Audit
Writings
- ZK Email: Unveiling Classic Attacks and Why Zero-Knowledge Proofs Alone Are Not a Panacea (Mikhail Egorov, Denis Kolegov, Nikita Stupin)
- “Not is not iszero” [EN]
- “JavaScript prototype pollution: practice of finding and exploitation” [EN|RU]
- “Security of mobile OAuth 2.0” [EN|RU]
- “GraphQL Voyager as a tool for API security testing” [EN|RU].
- “Охота за уязвимостями на 7% эффективнее” [RU]
Talks
- “Bug Hunting in Smart-Contracts: Where to Begin”
- VolgaCTF 2022, Online. Slides: EN.
- “Client-side JavaScript prototype pollution” (made in collaboration with @Black2Fan):
- “Access control vulnerabilities in GraphQL APIs”:
- OWASP AppSec Israel 2020, Online. Slides: EN, recording: EN.
- Swiss Cyber Storm 2019, Bern.
- OFFZONE 2019, Moscow. Recording: EN.
- “Vulnerabilities of mobile OAuth 2.0”:
- Insomnihack 2019, Geneva. Slides: EN and recording: EN.
- OFFZONE 2018, Moscow. Slides: EN, recording: RU.
- DC7831, Nizhny Novgorod.
- RuCTF 2019, Ekaterinburg.
- “IoT hacking from web perspective”:
- VolgaCTF 2020, Samara. Slides: EN.
Courses
- Безопасность компьютерных систем 21/22, ПМИ ФКН ВШЭ. Курс создан в сотрудничестве с @sms-system.
- Безопасность интернет-приложений, образовательный центр VK в МГТУ им. Н.Э. Баумана