Hey 👋, I’m M3dython — a blockchain security researcher and smart contract auditor focused on identifying and mitigating vulnerabilities in decentralized protocols.

I actively compete in top-tier audit contests like Sherlock, where I’ve earned recognition for identifying critical vulnerabilities across various protocols. My mission is to help projects launch and scale securely by uncovering and mitigating risks before they’re exploited. With deep experience in Solidity, Javascript, and a strong track record in public audits, I provide clear, actionable insights that strengthen your protocol’s security posture.

If you're looking to safeguard your smart contracts or need a reliable auditor for your next launch, I’m available for private audits. You can reach out through any of my socials — and feel free to explore my past findings and contest results below.

• Sherlock Profile: m3dython

I'm M3dython, a smart contract auditor and tech enthusiast.

• 🌍 I'm based in Brazil
• 🔭 I’m currently working on: Deepening my expertise in advanced smart contract security patterns.
• 🌱 I’m currently learning: Solidity Fuzzing and Formal Verification.
• 👯 I’m looking to collaborate on: Open Source Javascript projects, Web Dev tools, and smart contract security research.
• 🤔 I’m looking for help with: Complex security challenges in DeFi protocols.
• 💬 Ask me about: Javascript, Linux, smart contract auditing, and blockchain security.
• 📫 How to reach me:
  • LinkedIn: https://www.linkedin.com/in/0samalves/
  • Twitter: @m3dython
  • Discord: m3dython
  • Email: m3dython@gmail.com
• ⚡ Fun fact: I find uncovering subtle logical flaws in Web3 protocols incredibly rewarding.

May '25 - LEND

• Ranking: #52
• Finding 1: CrossChainRouter will use incorrect collateral amount and token for debt repayment during cross-chain liquidation, disrupting the process for the protocol, liquidators, and borrowers.
• Finding 2: Incorrect Liquidation Check in _checkLiquidationValid May Lead to Unfair Liquidations or Prevention of Valid Liquidations.
• Finding 3: Incorrect Logic in borrowWithInterest Leads to Understated Cross-Chain Debt and Risk of Protocol Insolvency.
• Finding 4: CoreRouter Prone to Fund Depletion or Trapping Due to Miscalculated Redemption Payouts.
• Finding 5: Liquidator may under-liquidate positions due to maxClose using incompletely accrued balance for settlement.

Apr '25 - Burve

• Ranking: #8
• Finding 1: Zero Tax Exploitation in Withdrawal Function
• Finding 2: Contract logic flaw will mismatch internal and external vault shares, potentially trapping user funds.
• Finding 3: Attacker can steal user funds via ERC4626 inflation attack on underlying vault.

Mar '25 - PinLink: RWA-Tokenized DePIN Marketplace

• Ranking: #39
• Finding: Centralized Oracle updates can be front run causing users to get paid less than intended.

Feb '25 - Yieldoor

• Ranking: #15
• Finding 1: Uninitialized feeRecipient will divert protocol fees to the zero address, impacting protocol revenue.
• Finding 2: A malicious actor will exploit the miscalculation, impacting leveraged position holders.

Explore my solutions to the challenges in Damn Vulnerable DeFi:

• M3dython/DAMN-DEFI