hey there, I'm tincho 👋
Ethereum security researcher. Former lead security auditor at OpenZeppelin, and before that web app pentester.
Find me as @tinchoabbate in Twitter and GitHub
- Human-first NFT mints, experimenting with captchas and OpenZeppelin Defender features to integrate off-chain validations for a NFT distribution mechanism
- Argent Vulnerability, collaborating with Alice Henshaw, who originally discovered the vulnerability.
- Backdooring Gnosis Safe Multisig wallets
- A Year of Research at OpenZeppelin
- Libra's Move IR Compiler Vulnerability, collaborating with several people at OpenZeppelin, but special mention to Alejo Salles and Ignacio Bonilla.
- Deep dive into the Minimal Proxy contract
- Exploiting Uniswap: from reentrancy to actual profit
- OpenZeppelin’s online ERC20 verifier: behind the scenes
- Beware of the proxy: learn how to exploit function clashing
📣 Talks, panels
- Exploits en DeFi @ Blockchain Summit Latam 2021 (in Spanish)
- Hacking smart contracts: de cero a un bounty millonario @ HacktivityCon 2021 (in Spanish)
- Price manipulation attacks from first principles @ ChainLink Hackaton 2021
- Secure Development series: 40-60 min. security-oriented sessions on token integration, access controls, price oracles, governance, upgradeability, and more!
- Smart contract security: the power of audits @ IdentiHack 2021 (in Spanish)
- DeFi Security Panel @ ETHGlobal June 2021
- White hat panel: DeFi exploits @ ETHGlobal January 2021
- 7 Phases of Smart Contract Hacking @ DEF CON Safe Mode Blockchain Village
- Anatomy of Smart Contract Exploits in the Wild @ Ekoparty 2020 (in Spanish)
- Tactics for the defense of smart contracts in Ethereum @ Blockchain Summit LATAM 2019 (in Spanish)
- Smart contract security @ Ethereum BA Meetup 2019 (in Spanish): the time when the one and only Andreas Antonopoulos warmed up the stage for me
🎓 Courses and learning material
- Introduction to Smart Contract Security and Hacking (in Spanish)
- Resources to get started in smart contract security: in English and in Spanish
🔍 Public auditing work
Sadly, in infosec, lots of our work cannot be made public. Still, for the curious, this is a non-comprehensive short list of some public audit reports I've contributed to. All of these are the result of team efforts of amazing auditors at OpenZeppelin.
- Augur v2 and additional components
- UMA: Phase 1, Phase 2, Phase 3
- Compound: Open Price Feed, Open Price Feed Uniswap integration, Alpha Governance
- AAVE v1
- Primitive finance
- RNDR Token
- PROPS Token