<aside> 🛰️ Feel free to contact me in Telegram if needed: https://telegram.me/sushiwushi2

</aside>

Audit reports

CosmWasm

Cosmos SDK

Cadence Flow

Solidity

Web3 stuffs

• 2024: 1st place in Cosmos bug bounty program: https://hackerone.com/cosmos/thanks/2024
• 2023: Involved in CosmWasm CTF with the teams at Oak Security: https://github.com/oak-security/cosmwasm-ctf

Vulnerability disclosures

• Cosmos SDK:

  Halting chains with malicious token factory denoms

  Stakers’ undelegations may be slashed incorrectly

  Bypass for ASA-2024-003: Missing BlockedAddressed Validation in Vesting Module

  Packet fees are not removed after a successful refund

  Bypassing IsSendEnabledCoins restriction

  Chain halt risk in x/gov due to unrestricted gas limits

  MsgCreateContinuousFund does not remove entries in RecipientFundPercentage

  Validators can use unsupported public keys, triggering a chain halt

• CosmWasm:

  Stargaze Names Vulnerability Disclosure

  Stargaze Vulnerability Disclosure (2)

  Bypassing zero amount transacts in CW20

• Cadence:

  Flovatar Vulnerability Disclosure

  FlovatarMarketplace Vulnerability Disclosure

  Soulmade Vulnerability Disclosure

  Tatum Vulnerability Disclosure

  The Football Club Vulnerability Disclosure

• Some writings about web2 bugs on Medium:

  sushiwushi – Medium

• GitHub Advisory Database: https://github.com/advisories?query=credit:sushiwushi

Web2 stuffs

• 2020: 77th ranking in Google VRP.

  • https://x.com/sushiwushi2/status/1271653432613408768/

  • Google VRP profile: https://bughunters.google.com/profile/05b1fe6a-7abf-495c-bbec-e58d6eba3dd7

  • One of my bug bounty reports is also featured in Google VRP staff picks!

    Auth Bypass in ads.google.com | Google Bug Hunters

    https://www.youtube.com/watch?v=6KNwYPgs8DQ

• HackerOne profile: https://hackerone.com/setuid

Certifications