Independent security researcher focused on Solidity, Rust, Solana, and Soroban / Stellar smart contracts. I work the full stack: invariant fuzzing, on-chain forensics, multi-step composition attacks, and cross-client divergence analysis.
All findings published here are publicly disclosed and acknowledged by the affected projects. Active and undisclosed bounty material lives in a separate private repository.
- Code4rena:
@Mariscal— Signal 25 (Good) · Helped secure: Chainlink - Immunefi:
@Mariscal - Telegram:
@Marisscalfor engagements
| Contest | Severity | Title |
|---|---|---|
| Chainlink Payment Abstraction V2 | Medium | EIP-1271 partial-fill contradiction in CowSwap auctions — escalated post-judging from OoS to Medium by judge 0xsomeone |
| Rujira Protocol | Medium | Liquidation repay leaves excess tokens permanently stuck |
| Intuition Protocol | Low | previewWithdraw underflow in ProgressiveCurve |
| Glow Finance | confirmed valid | 2 sponsor-confirmed findings: missing liquidation/health check + missing pool accounting on fee withdrawal |
| Project | Title |
|---|---|
| Monero (monero-oxide) | Fee mask issue in the monero-oxide Rust implementation |
- From
Out of Scopeto Medium — anatomy of a partial-fill EIP-1271 contradiction — Walkthrough of the Chainlink S-769 escalation. Why a "known issue" race condition and an internal contract contradiction are structurally different bugs, and how to argue that to a judge. - The adversarial fuzz pyramid — How I structure invariant suites with handler + ghost accounting + value-conservation, instead of confirmatory tests that pass against the property they were asked to check.
- Cross-client divergence as a bug class — When two implementations of the same spec must stay equivalent (op-node vs kona, in-house verifier vs upstream), the divergences are state-bearing bugs. With two case studies.
I work bugs at the layer most tools miss:
- Composition between documented behaviors. Single-property soundness rarely fails on mature codebases; soundness of the composition often does. Examples: a Portal
pre-commitplus a messenger replay path plus permissionlessfinalize, chaining into a mass-brick primitive;isValidSignaturevalidating full amount while the contract requires partial fills, producing a self-financing DoS. - Cross-client divergence. When two implementations of the same spec must stay byte-for-byte equivalent (op-node vs kona, ezkl-no-std vs an in-house verifier), the divergences are state-bearing bugs.
- Adversarial invariants over confirmatory tests. I build invariant suites with ghost accounting and value-conservation invariants, then hunt the handler that breaks them.
- On-chain forensics. Snapshot before, snapshot after. Many "documented as intentional" closures stop being intentional once the upgrade log is read against the disclosure timeline.
Available for private engagements (single auditor) and contest collaborations. Open an issue or reach out via Telegram.
The writeups in this repository are licensed under MIT. PoC code retains the licensing of the original audit target where applicable.
Last updated: 2026-05-28.