StErMi

StErMi

I like to push myself over my limits and always raise the bar of my knowledge and skills.

@StErMi

87

Spearbit

lsr

Get a quote

Public earnings

$30,197.64

90th

Public findings

39

Achievements

Worked with

Cryptex
Morpho
Euler
BadgerDAO
Liquid Collective
Paradigm
Christoph Michel
m4rio
Leo Alt
Gerard Persoon
Optimum
Liam Eastwood
OverviewPublic reviewsPrivate reviews

Biography

Biography

Hi there! I'm Emanuele, aka StErMi, a full-stack developer with more than 15 years in the field and for more than 2 years I have devoted all my energies to become the best security researcher.

I am a curious person by nature and I always want to master what I am learning. I can't help myself to strive for the best, learn new things and always try to raise the bar.

Are you looking for "just" a security researcher? I'm afraid that you are not in the right place ;)

When you hire me, you will get the full package:

A very detailed report:

  • Full working PoC for each critical, high or medium issue
  • Architectural review of the project with suggestions on how to optimize it
  • Brainstorming sessions on how to always push for the best possible product

Top competitions

View all
Contest
Position
Date
Payout
Aave v3.1 Competition

Aave v3.1 Competition

1

/ 215

May 2024$14,286
Blast

Blast

32

/ 600

January 2024$10,000
incentive-contracts

incentive-contracts

7

/ 152

January 2024$4,412
eigenlayer-contracts

eigenlayer-contracts

5

/ 205

February 2024$1,500

Private reviews

View all
Engagement
Project title
Timeframe
Researchers
Cryptex

Cryptex

Cross-Chain Security Review: Cryptex Audit

Feb 2025 - Feb 2025

StErMi
Anurag Jain
Morpho

Morpho

DeFi Security Review: Morpho v1.1 Audit

Feb 2025 - Feb 2025

StErMi
Om Parikh
Euler

Euler

ethereum-price-oracle

Apr 2024 - May 2024

+2
StErMi
Christos Pap
Christoph Michel
Euler

Euler

ethereum-vault-kit

Apr 2024 - May 2024

+2
StErMi
Christos Pap
Christoph Michel
Euler

Euler

ethereum-vault-connector

Apr 2024 - May 2024

+2
StErMi
Christos Pap
Christoph Michel

Security portfolio

Title
Description
Aave v3 bug bounty 3 ($20000 USD)`LTV-0` `AToken` poison attack!
Aave v3 bug bounty 2 ($10000 USD)If the user is in e-mode (efficiency mode) it means that all the assets that have been supplied and borrowed belong to the same e-mode category of the user. During the liquidation process, Aave is making the wrong assumption that, if the user is in e-mode and the e-mode category has been configured with a custom oracle, both the collateral and debt asset are using the same e-mode category custom oracle. This assumption would be normally correct (if you are in e-mode you can only supply and borrow assets that are in the same e-mode category) but there are some specific edge cases where it would not be true.
Aave v3 bug bounty 1 ($5000 USD)When the user performs a flashloan action that ends up opening a borrowing position (instead of later repaying the flashloan), Aave is passing to the receiver the wrong amount of fees that the receiver needs to repay. In this specific case, the user does not have to repay any flashloan fees. While Aave is not requesting back those premiums, they anyway tell to the receiver that it have to approve more tokens that are needed (flash loan amount + wrongly calculated premium that should instead be equal to zero). Because of this, the receiver could end up over-approving the Aave protocol. For more detail about the consequences and all the possible side effects, keep reading the blog post because I'm going very deep into the woods 😁