// security researcher

0x15 Web3 Security
Researcher

Independent security researcher hunting critical vulnerabilities across the stack — from Solidity and Move smart contracts to Rust consensus clients. 45+ High & Medium findings. One node-halting CVE. Five languages, zero mercy for bugs.

35+ Audit Contests
45+ High / Medium Findings
10 Top-10 Finishes
5 Languages Audited
Rust· Go· Move· Solidity· Cairo

// recent work

Highlights

FEATURED · CVE-2026-52736

Zcash Zebra — Remote Node Suppression

Zcash Foundation · High Severity

Block suppression via NU5 same-header body poisoning of the sent-hash cache. A remote, unauthenticated peer could permanently stall a targeted Zebra node. Credited for the first report with an end-to-end reproduction.

Rust Consensus Node Client CVE · High

// contest history

Track Record

Date Protocol Platform Rank Findings
Apr '26XRP LedgerSherlock#25
Mar '26IntuitionCode4rena#41 Medium
Feb '26Injective Peggy BridgeCode4rena#171 High
Dec '25RujiraCode4rena#114 High
Oct '25Centrifuge Protocol V3.1Sherlock#111 Medium
Oct '25Index Fun Order BookSherlock#101 Medium
Sep '25MonadCode4rena#71 High
Sep '25BMX Deli SwapSherlock#91 High · 2 Medium
Sep '25Dango DEXSherlock#211 Medium
Sep '25AmmplifySherlock#361 High · 1 Medium
Aug '25USG — TangentSherlock#641 High
Aug '25Solayer BridgeCantina#311 High
Jul '25GTE Spot CLOB & RouterCode4rena#231 Medium
Jun '25Telcoin NetworkCantina#432 High
May '25Yearn yBOLDSherlock🥈 #21 High
May '25LayerEdge — StakingSherlock#71 Medium
May '25LENDSherlock#633 High
May '25Alchemix v3Cantina#205 High · 2 Medium
May '25Jigsaw ContractsCantina#532 High
May '25Aave AptosCantina#101 Medium
May '25Space & Time (SXT)Cantina#222 Medium
Apr '25ZetaChain Cross-ChainSherlock#161 Medium
Apr '25Mighty ContractsCantina#1151 High
Apr '25Mezo MonorepoCantina#393 Medium
Apr '25KinetiqCode4rena#181 Medium
Mar '25PumpSwapCantina#71 Medium
Feb '25YieldoorSherlock#281 Medium
Feb '25RovaSherlock🥉 #31 Medium
SHERLOCK PROFILE ↗
0x15 avatar

// about

Polyglot by design

Most auditors stop at Solidity. I don't. I work across Rust, Go, Move, Solidity, and Cairo — which means I can follow a vulnerability from the smart contract layer down into the node client executing it.

That range shows in the results: findings in EVM lending protocols, Move money markets, CosmWasm app layers, Solana AMMs — and a High-severity CVE in Zcash's consensus client that could remotely stall a node.

Shipping something new?
Get it broken first.

Private audits and contest engagements across EVM, Move, Cosmos, and Rust-based stacks. No fluff — just a focused review of your codebase.