Dacian is a prolific smart contract security researcher & auditor at cyfrin.io whose published Deep Dive security research is routinely shared on Twitter & in high-profile blockchain security newsletters such as BlockThreat [1, 2, 3, 4, 5, 6, 7, 8] & Week In Ethereum News [1, 2]. Some of Dacian's most notable security research publications include:

• DAO Governance DeFi Attacks

• Lending & Borrowing DeFi Attacks

• DeFi Slippage Attacks

• Precision Loss Errors

• Exploiting Precision Loss via Fuzz Testing

• Exploiting Developer Assumptions

• Chainlink Oracle Security Considerations

• Signature Replay Attacks

Dacian has earned a $28,000 USD bug bounty for discovering a vulnerability in a live smart contract that combined missing access control & unchecked state transition vulnerabilities to permanently brick the contract admin, future token inflation & staking rewards.

Dacian can identify a wide range of smart contract vulnerabilities; some of Dacian's publicly available findings include:

• Attack can drain protocol tokens by sandwich attacking two onlyOwner functions to force redeployment of liquidity into an unfavorable range

• Polygon chain reorgs will change mystery box tiers which can be gamed by validators

• Attacker can combine flashloan with delegated voting to decide a proposal bypassing all flashloan protections

• Attacker can destroy user voting power by setting ERC721Power::totalPower and all existing NFTs currentPower to 0

• Attacker can at anytime dramatically lower ERC721Power::totalPower voting power close to 0

• Attacker can use delegation to bypass voting restriction to vote on proposals they are restricted from voting on

• Static GovUserKeeper::_nftInfo.totalPowerInTokens used in quorum denominator can incorrectly make it impossible to reach quorum

• Attacker can bypass token sale maxAllocationPerUser restriction to buy out the entire tier

• Delegators incorrectly receive less rewards for longer proposals with multiple delegations

• DistributionProposal 'for' voter rewards diluted by 'against' voters and missing rewards permanently stuck in DistributionProposal contract

• Signature replay against different reward pool for same organizer/contest as signature digest missing implementation parameter

• Attacker can mint free tokens by exploiting rounding down to zero precision loss

• Borrow rate calculation can DoS all major functionality

• Lender can take borrower's collateral before first payment is due

• Borrower can't repay but can be liquidated as token whitelist can prevent existing positions from repaying

• Trading fees should round up in favor of the protocol to prevent value from constantly leaking to traders

Dacian can be contacted via Twitter DM's.