OpportunitiesLeaderboardAbout Cantina
StErMi

StErMi

I like to push myself over my limits and always raise the bar of my knowledge and skills.

@StErMi

87

Spearbit

lsr

Get a quote

Public earnings

$30,197.64

86th

Public findings

39

Achievements

Worked with

Cryptex
Morpho
Euler
BadgerDAO
Liquid Collective
Paradigm
m4rio
Alex Beregszaszi
Leo Alt
Gerard Persoon
Christoph Michel
Optimum
OverviewPublic reviewsPrivate reviews

Biography

Biography

Hi there! I'm Emanuele, aka StErMi, a full-stack developer with more than 15 years in the field and for more than 2 years I have devoted all my energies to become the best security researcher.

I am a curious person by nature and I always want to master what I am learning. I can't help myself to strive for the best, learn new things and always try to raise the bar.

Are you looking for "just" a security researcher? I'm afraid that you are not in the right place ;)

When you hire me, you will get the full package:

A very detailed report:

  • Full working PoC for each critical, high or medium issue
  • Architectural review of the project with suggestions on how to optimize it
  • Brainstorming sessions on how to always push for the best possible product

Top competitions

View all
Contest
Position
Date
Payout
Aave v3.1 Competition

Aave v3.1 Competition

1

/ 215

May 2024$14,286
Blast

Blast

32

/ 599

January 2024$10,000
incentive-contracts

incentive-contracts

7

/ 152

January 2024$4,412
eigenlayer-contracts

eigenlayer-contracts

5

/ 205

February 2024$1,500

Private reviews

View all
Engagement
Project title
Timeframe
Researchers
Tracer

Tracer

Tracer Perpetual Pools

Feb 2022 - Feb 2022

+1
RustyRabbit
Gerard Persoon
Christoph Michel
Morpho

Morpho

morpho-contracts

Mar 2022 - Mar 2022

+1
Jared Jordan
StErMi
Christoph Michel
Optimism

Optimism

Drippie

Aug 2022 - Aug 2022

Hrishikesh Bhat
StErMi
noah.eth
Gauntlet

Gauntlet

Aera Contracts

May 2022 - May 2022

+1
StErMi
Eric Wang
Gerard Persoon
Paradigm

Paradigm

Art-Gobblers

Jul 2022 - Jul 2022

+5
Hrishikesh Bhat
Hari
Devansh Bantham

Security portfolio

Title
Description
Aave v3 bug bounty 3 ($20000 USD)`LTV-0` `AToken` poison attack!
Aave v3 bug bounty 2 ($10000 USD)If the user is in e-mode (efficiency mode) it means that all the assets that have been supplied and borrowed belong to the same e-mode category of the user. During the liquidation process, Aave is making the wrong assumption that, if the user is in e-mode and the e-mode category has been configured with a custom oracle, both the collateral and debt asset are using the same e-mode category custom oracle. This assumption would be normally correct (if you are in e-mode you can only supply and borrow assets that are in the same e-mode category) but there are some specific edge cases where it would not be true.
Aave v3 bug bounty 1 ($5000 USD)When the user performs a flashloan action that ends up opening a borrowing position (instead of later repaying the flashloan), Aave is passing to the receiver the wrong amount of fees that the receiver needs to repay. In this specific case, the user does not have to repay any flashloan fees. While Aave is not requesting back those premiums, they anyway tell to the receiver that it have to approve more tokens that are needed (flash loan amount + wrongly calculated premium that should instead be equal to zero). Because of this, the receiver could end up over-approving the Aave protocol. For more detail about the consequences and all the possible side effects, keep reading the blog post because I'm going very deep into the woods 😁