Projects

1. clairvoyance obtain GraphQL API schema even if the introspection is disabled
2. pwnhub how GitHub Actions workflows can be hacked
3. orgs-data mapping from bug bounty and vulnerability disclosure programs to respective GitHub organizations

Smart Contract Audits

• Uniswap v4 Core Audit
• Snapshot X Starknet Audit
• Compound Comprehensive Protocol Audit
• 1inch Limit Order Settlement Audit
• 1inch Limit Order Protocol Diff Audit
• ZK Email Account Recovery – Security Review Report
• Nodle Network Smart Contracts – Security Review Report
• Across V3 Incremental Audit
• Across V2 Incremental Audit
• UMA Across V2 Diff Audit 2023
• ANZ Bank’s $30 million stablecoin transaction secured by OpenZeppelin
• Neptune Mutual Audit
• UMA Optimistic Governor Audit
• Mantle Node, Batcher, Proposer, and Tooling Incremental Audit
• Origin OGV and OGN Merge Audit

Writings

1. ZK Email: Unveiling Classic Attacks and Why Zero-Knowledge Proofs Alone Are Not a Panacea (Mikhail Egorov, Denis Kolegov, Nikita Stupin)
2. Top 10 Blockchain Hacking Techniques of 2023
3. Top 10 Blockchain Hacking Techniques of 2022
4. “Not is not iszero” [EN]
5. “JavaScript prototype pollution: practice of finding and exploitation” [EN|RU]
6. “Security of mobile OAuth 2.0” [EN|RU]
7. “GraphQL Voyager as a tool for API security testing” [EN|RU].
8. “Охота за уязвимостями на 7% эффективнее” [RU]

Talks

1. “Bug Hunting in Smart-Contracts: Where to Begin”
   • VolgaCTF 2022, Online. Slides: EN.
2. “Client-side JavaScript prototype pollution” (made in collaboration with @Black2Fan):
   • VolgaCTF 2021, Samara. Slides: EN.
   • ZeroNights 2021, Saint Petersburg. Slides: EN, recording: RU.
3. “Access control vulnerabilities in GraphQL APIs”:
   • OWASP AppSec Israel 2020, Online. Slides: EN, recording: EN.
   • Swiss Cyber Storm 2019, Bern.
   • OFFZONE 2019, Moscow. Recording: EN.
4. “Vulnerabilities of mobile OAuth 2.0”:
   • Insomnihack 2019, Geneva. Slides: EN and recording: EN.
   • OFFZONE 2018, Moscow. Slides: EN, recording: RU.
   • DC7831, Nizhny Novgorod.
   • RuCTF 2019, Ekaterinburg.
5. “IoT hacking from web perspective”:
   • VolgaCTF 2020, Samara. Slides: EN.

Courses

1. Безопасность компьютерных систем 21/22, ПМИ ФКН ВШЭ. Курс создан в сотрудничестве с @sms-system.
2. Безопасность интернет-приложений, образовательный центр VK в МГТУ им. Н.Э. Баумана

CVEs

1. CVE-2021-22957
2. CVE-2021-22944
3. CVE-2020-28460
4. CVE-2020-28450
5. CVE-2020-28449
6. CVE-2024-1540