EVM / Solidity manual audit
DeFi, staking, bridges, marketplaces, NFT systems, governance, permissions, upgradeability, and token accounting.
index of /opencore.ch _
OpenCoreCH
Roman Böhringer. Smart-contract auditor and systems person in Switzerland. Looks at state transitions, accounting invariants, signatures, oracle paths, upgrade hooks, gas griefing, cross-chain edge cases, wallet flows, and off-chain infrastructure that can still lose the money.
- 4
- public rank-1 C4 placements
- 617
- stars on heuristics.md
scope.txt
Audit surface / consulting work
Manual review for code where the interesting bugs are hidden in accounting, permissions, standards compliance, timing, trust boundaries, and weird user input.
Rust runtime review
CosmWasm, Substrate, chain modules, wallet code, serialization, arithmetic, state machines, and unsafe edges.
Off-chain attack surface
Wallets, rollup infrastructure, AWS-backed systems, API authorization, signing flows, secrets, and operational failure modes.
Protocol threat model
Oracle dependencies, AMM math, liquidation paths, LVR/MEV assumptions, bridge trust, replay, finality, and governance capture.
Invariant / fuzz target design
Convert protocol assumptions into invariants, differential tests, boundary cases, conservation checks, and harness ideas.
Finding triage & remediation
Severity reasoning, exploitability notes, patch review, regression checks, and report text that does not hide the bug.
reports/
Published audit record
Public reports and contest results only. Some client work is private; it stays private.
Selected Code4rena placements
- Rigorrank 1 / 132
- Foundationrank 1 / 108
- Yieldyrank 1 / 99
- Party DAOrank 1 / 110
- Mimo DeFirank 2 / 69
- Nouns DAOrank 3 / 160
Published audit channels
Common bug classes
State desync, rounding amplification, duplicate-account handling, stale oracle use, unsafe defaults, gas griefing, signature replay, bad deletion, and ERC/EIP behavior drift.
Solidity
Rust
CosmWasm
Substrate
Wallets
Rollups
DeFi
Cross-chain
src/
Repo drawer
Public GitHub repos, lightly indexed. Star counts and descriptions were pulled from GitHub on June 5, 2026.
smart-contract-auditing-heuristics
Reusable smart-contract review heuristics covering asymmetries, amplifiable rounding, standards compliance, initialization bugs, list duplicates, and gas-limit failure modes.
smart-contract-audits
Public collection of smart-contract audits, Rust audits, penetration tests, Code4rena findings, judging work, and protocol research.
ethz_cs_summaries
ETH Zürich CS and Data Science notes: algorithms, networks, databases, software engineering, ML, statistics, and cloud systems.
TCPunch
C++ TCP NAT hole-punching client library and server for pairing two clients and returning a socket descriptor for peer communication.
hdmlp
Hierarchical Distributed Machine Learning Prefetcher, connected to high-performance computing and machine-learning I/O work.
Clairvoyant Prefetching for ML I/O
ETH Zürich bachelor thesis repository for clairvoyant prefetching in machine-learning I/O workloads.
Bexio-MCP-Server / bexio-cli
Python and TypeScript automation around Bexio, CLI workflows, and MCP-style business integrations.
crocswap-lm / canto-fixed-lending
Protocol-adjacent repositories across liquidity mining, concentrated liquidity, Canto lending, Pyth cross-chain utilities, and SPL token programs.
notes/
Loose files worth reading
Notes, reports, and code that say more than a landing-page paragraph can.
Send repo, scope, chain/runtime, dates, and what keeps you awake.
Useful first email: codebase link, protocol overview, commit hash, previous reports, tests/fuzzing status, deployment assumptions, and areas already suspected to be fragile.