<aside> 🐱 Hello world!

</aside>

Audits

CosmWasm projects

Cosmos SDK projects

Cadence Flow projects

Vulnerability disclosures

• Cosmos SDK:

  Bypass for ASA-2024-003: Missing BlockedAddressed Validation in Vesting Module

  Packet fees are not removed after a successful refund

  Bypassing IsSendEnabledCoins restriction

  Chain halt risk in x/gov due to unrestricted gas limits

  MsgCreateContinuousFund does not remove entries in RecipientFundPercentage

  Validators can use unsupported public keys, triggering a chain halt

• CosmWasm:

  Stargaze Names Vulnerability Disclosure

  Stargaze Vulnerability Disclosure (2)

  Bypassing zero amount transacts in CW20

• Cadence:

  Flovatar Vulnerability Disclosure

  FlovatarMarketplace Vulnerability Disclosure

  Soulmade Vulnerability Disclosure

  Tatum Vulnerability Disclosure

  The Football Club Vulnerability Disclosure

• Some writings about web2 bugs on Medium:

  sushiwushi – Medium

• GitHub Advisory Database that includes reported vulnerabilities on open-source projects: https://github.com/advisories?query=credit:sushiwushi

Web2 achievements

• Certifications:

  Offensive Security Certified Professional (OSCP) was issued by Offensive Security to Richie Chun Fei Lee.

  Offensive Security Web Expert (OSWE) was issued by Offensive Security to Richie Chun Fei Lee.

• Top 100 Google VRP in 2020! https://x.com/sushiwushi2/status/1271653432613408768/

• One of my bug bounty reports is also featured in Google VRP staff picks!

  Auth Bypass in ads.google.com | Google Bug Hunters

• Google VRP profile: https://bughunters.google.com/profile/05b1fe6a-7abf-495c-bbec-e58d6eba3dd7

• HackerOne profile: https://hackerone.com/setuid

Projects

https://github.com/sushiwushi/CosmWasm-CTF

https://github.com/oak-security/cosmwasm-ctf