A technical research repository documenting security vulnerabilities, economic attack vectors, and protocol risk analysis across Web3 infrastructure.
This repo continues my journey from finance professional to smart contract auditor, first shared in my OpenZeppelin blog post.
This repository serves as both a research archive and technical lab notebook, documenting:
- Smart contract vulnerabilities and exploit analysis
- Protocol-level economic risk and attack surface mapping
- Credit risk and covenant enforcement mechanisms in DeFi lending
- Liquidity cascade modeling and systemic risk scenarios
- Secure development practices and mitigation strategies
The work spans both code-level security (reentrancy, access control, oracle manipulation) and protocol-level economic security (credit risk, liquidity crises, governance attacks, incentive misalignment).
Research entries follow a consistent analytical framework:
- Incident Summary — Exploit details, loss amounts, attack vectors
- Root Cause Analysis — Technical vulnerability (logic bug, reentrancy, etc.)
- Mitigation Analysis — Prevention methods and post-mortem fixes
- Code Reproduction — Experimental code demonstrating the vulnerability or defense
- Protocol Overview — Business model, mechanism design, key parameters
- Risk Surface Mapping — Credit risk, liquidity risk, governance risk, economic attack vectors
- Stress Scenario Modeling — Quantitative analysis of failure modes
- Enforcement Gap Analysis — Covenant structures, legal mechanisms, execution risk
- Thesis Documentation — Investment or security position based on identified risks
This dual approach captures both the attacker's perspective and the defender's countermeasures across multiple layers of the Web3 stack.
- Vulnerability analysis and exploit reproduction
- Audit findings and secure coding patterns
- Attack vector simulation and fuzzing
- DeFi lending protocol risk analysis
- Covenant enforcement mechanism evaluation
- Liquidity cascade and systemic risk modeling
- Credit risk assessment of undercollateralized lending
- Governance attack surface analysis
- How smart contract vulnerabilities enable economic exploits
- Oracle manipulation and its financial impact
- MEV and transaction ordering dependencies
- Protocol composability risks
Research tooling reflects the need to analyze, build, and stress-test Web3 systems across multiple layers:
- Python — Quantitative modeling, exploit simulation, statistical analysis, fuzzing
- Foundry — Smart contract testing, deployment automation, invariant testing
- Solidity — Contract analysis, security research, DeFi protocol interaction
- Vyper — Minimal contract design, auditability research
- Rust — Systems programming, performance-critical security tooling, Solana/Substrate research
My background spans finance, law, and quantitative analysis. This interdisciplinary foundation enables research that bridges code-level security and financial risk analysis:
- Finance background — Credit analysis, covenant structures, liquidity risk modeling
- Legal training — Enforcement mechanisms, governance structures, regulatory compliance
- Quantitative skills — Statistical modeling, stress testing, Monte Carlo simulation
- Security focus — Exploit analysis, attack surface mapping, defensive architecture
This combination allows for research that most Web3 security work overlooks: the intersection of smart contract security and financial/economic vulnerabilities.
/exploits — Smart contract vulnerability breakdowns
/protocols — DeFi protocol risk analysis and stress tests
/research-notes — Ongoing research, hypotheses, experimental findings
/code-experiments — Proof-of-concept code for vulnerabilities or defenses
/quantitative — Financial models, credit analysis, liquidity simulations
All analysis in this repository follows these principles:
- Evidence-based — Claims supported by on-chain data, contract code, or mathematical modeling
- Reproducible — Sufficient detail for others to verify findings
- Transparent — Clear documentation of assumptions, limitations, and uncertainty
- Rigorous — Both qualitative insight and quantitative validation where possible
- Practical — Research aimed at real-world security improvement or risk mitigation
Active research threads include:
- Covenant enforcement mechanisms in undercollateralized DeFi lending
- Liquidity cascade risk modeling in protocol withdrawal scenarios
- Pool delegate agency problems and credit risk misalignment
- Smart contract audit methodology development
- Cross-protocol contagion risk analysis
Each research entry documents the full analytical process, including dead ends and revised hypotheses, to provide an honest record of the research journey.
This is a living research archive. Findings, methodology improvements, and new areas of investigation are continuously documented as the work evolves.