Full-Stack Web3 Developer & Security Auditor
Resume:
Maheswaran Velmurugan
Full-Stack Web* Developer · Smart Contract Security Auditor
Email - **************@*****.*** Github - soloking1412 ABOUT
I've spent the last few years splitting time between building production Web3 systems and tearing apart other people's smart contracts to find what breaks them. On the auditing side I have 20+ confirmed findings across Sherlock contests — Highs and Mediums in DeFi protocols ranging from staking reward accounting bugs to flash loan price manipulation and arithmetic underflows. On the build side I shipped the Arbitrum Stylus Dev Toolkit under a Foundation grant (32.6% avg gas reduction, 224 NPM downloads), built production Solana staking programs in Anchor/Rust, and have worked across 7 chains: EVM, Solana, Starknet, Polkadot, Aptos, Move, and Rootstock. I'm a 2024 Polkadot Blockchain Academy graduate and I prefer working on hard, under-specified problems.
EXPERIENCE
Smart Contract Security Researcher · Sherlock · Code4rena · Immunefi2023 – Present
– Competed in 10+ audit contests with 20+ confirmed findings. Built POC exploits first, wrote reports second — no speculative submissions.
– Focus areas: DeFi reward accounting, ERC-4626 vaults, Uniswap V3 integrations, staking mechanics, cross-vault share logic, and DOS vectors.
– Ranked #45 on Ammplify (Sherlock) and #48 on Super DCA (Sherlock) with multiple confirmed Highs and Mediums in both.
– Clients include protocols on Ethereum, Optimism, and Solana — ranging from liquidity networks to NFT position managers.
Blockchain Developer · FABC Global · Fameguild · Virtust Technologies · Cloudin Labs
– Built and deployed smart contracts across EVM (Solidity), Solana (Anchor/Rust), and Starknet (Cairo) for DeFi, NFT, and GameFi products.
– Production Solana staking: multi-tier stake pools, NFT-gated vesting, epoch-based reward splits (40% staking / 30% referral / 30% cashback), early-exit penalties — all live.
– Full-stack delivery on a P2P exchange, NFT marketplace, and ERC-20 staking dApp — React/Next.js frontend through to on-chain settlement.
– Also worked with Hyperledger Fabric for an enterprise supply chain client and Subsquid indexers on Rootstock for a DeFi analytics dashboard.
CONFIRMED AUDIT FINDINGS
Super DCA Liquidity Network [High] — Pending Rewards Permanently Lost When Users Stake or Unstake Tokens Reward accumulator not checkpointed before balance change — any stake/unstake wipes pending rewards for that user permanently. Sherlock · #48 ranking.
Super DCA Liquidity Network [Medium] — setMintRate Creates Incorrect Token Emissions Changing mint rate mid-period applies new rate retroactively to already-elapsed time, corrupting total emission math. Ammplify [High] — Flash Loan Price Manipulation in Core Position Valuation Functions Position valuation reads spot price without TWAP protection — attacker can manipulate value in a single block to drain collateralized positions. Sherlock · #45 ranking.
Ammplify [Medium] — NFT Metadata Generation Fails Due to Incorrect Asset Data Access Method in NFTManager NFTManager calls the wrong getter on the asset registry — on-chain metadata breaks for all positions, affecting integrations and front-ends.
Ammplify [Medium] — Arithmetic Underflow in UniV3Decomposer Causes DOS on Position Decomposition Subtraction underflow in tick math when decomposing out-of-range Uniswap V3 positions reverts the entire transaction, locking affected LP funds.
Merkl Protocol [High] — Pre-deposited Balance Double-Spend Pre-deposit accounting flaw allows the same balance to be credited twice across campaigns, draining reward pools. Merkl Protocol [Medium] — Campaign Duration Extension Beyond End Time Extension logic pushes duration past the configured end — reward math breaks and users receive incorrect distributions. Inverse Finance jDOLA [Medium] — DOS via queueWithdrawal at MIN_ASSETS Threshold When fees are non-zero, hitting exact MIN_ASSETS causes queueWithdrawal to permanently revert — user funds stuck with no recovery path.
SukukFi [High] — Cross-Vault Share Fungibility Exploit Shares from vaults with different risk profiles treated as interchangeable — attacker can inflate effective balance by moving between vaults.
SukukFi [Medium] — KYC Status Change Locks User Funds Post-deposit KYC revocation has no withdrawal fallback — compliant funds become permanently inaccessible. GRANTS & FUNDED WORK
Arbitrum Stylus Dev Toolkit
Arbitrum Foundation Grant · 16000$ Delivered
– Developer toolkit for writing EVM smart contracts in Rust via the Stylus SDK — targeted at engineers migrating from Solidity.
– Benchmarked 32.6% average gas reduction vs equivalent Solidity contracts across a suite of standard DeFi patterns.
– Published to NPM, reached 224 downloads. Full milestone report submitted and accepted by the Arbitrum grants team.
SatoshiYield — sBTC Yield Optimizer
Stacks Ecosystem Grant · $8,000 STX · In Progress
– Non-custodial sBTC yield aggregator on the Stacks L2, routing across Bitflow, ALEX, Zest, Velar, and Hermetica automatically.
– Goal: give BTC holders a single interface for optimized yield without bridging to Ethereum or touching custodial wrappers.
– Full technical spec, milestone plan, and README written. Grant under review. TECHNICAL SKILLS
Languages Solidity · Rust · TypeScript · JavaScript · Cairo · Move · Clarity · Go Contracts Hardhat · Foundry · Anchor · Truffle · OpenZeppelin · Stylus SDK Chains Ethereum · Solana · Starknet · Polkadot · Aptos · Rootstock · Stacks (Bitcoin L2) Security Reentrancy · Flash Loan Attacks · Oracle Manipulation · ERC-4626 Invariants · Inflation Attacks · Arithmetic Over/Underflow · Access Control Frontend React · Next.js · Node.js · ethers.js · web3.js · wagmi Tooling Foundry Fuzzing · Slither · Mythril · Docker · GitHub Actions · n8n Protocols ERC-20/721/1155/4626 · Uniswap V2/V3 · Aave · Compound · IPFS · The Graph EDUCATION
Developer Graduate · Polkadot Blockchain Academy2024 Selective cohort. Covered Substrate, FRAME pallets, XCM cross-chain messaging, ink! contracts, and parachain architecture.
BSc Computer Science — Cloud Technology & Information Security · Rathinam College of Arts and Science2021 – 2024
Certs: Certified Blockchain Security Examiner (CBSE) Level 1 · Solidity for Senior Engineers (Calyptus) · Ethereum Fundamentals (Kerala Blockchain Academy) · Cloud Infrastructure Foundations Associate (Oracle) · Blockchain Essentials
(IBM)
Contact this candidate