tintinweb
> socials
> Security Researcher · Blockchain · Exploits · AI Agents
> gpt-3 'who is tintinweb'
</img>
> attack --surface
Smart Contracts · P2P Networks · Protocols · Cryptographic Implementations · Embedded Devices
> whoami
- improve Security for the Ethereum Ecosystem
- review complex Smart Contract Systems and Off-Chain components
- research new attack vectors and practice Responsible Disclosure
- buidl useful Tools to satisfy the lazy efficiency monk in me
- buidl AI-powered security agents and coding assistants
- led InfoSec for a major European corporation
- am on the Ethereum & Ethereum 2.0 Vulnerability Leaderboard
- am #39 in theCyber
- disclosed multiple vulnerabilities in cpp-ethereum, mist, parity, bitcoin-core, and bitcoin miners
- broke parts of Android, OpenSSH, Putty, Python, various Web Applications, and Embedded Devices
> featured
🥷 Vulnerability Research / Offensive
- pub - Public vulnerability disclosures & PoCs
- ecdsa-private-key-recovery - ECDSA nonce-based key recovery
- scapy-ssl_tls - SSL/TLS layers for Scapy
- electron-inject - Inject JS into Electron apps
- striptls - STARTTLS stripping attack proxy
- aggroArgs - Buffer overflow vulnerability testing
🔬 Security Research & Tools
- smart-contract-sanctuary - A home for ethereum smart contracts
- smart-contract-vulndb - Open smart contract audit issue dataset
- solidity-shell - Interactive Solidity shell
- semgrep-rules - Low noise Semgrep security rules
- bugbounty-companion - Bug bounty code-base checker
VSCode Extensions · marketplace
- vscode-interactive-graphviz - Interactive Graphviz Dot Preview
- vscode-decompiler - Decompile things from VSCode
- vscode-inline-bookmarks - Inline bookmarks
- vscode-solidity-language - Solidity Language & Themes
- vscode-solidity-flattener - Solidity Contract Flattener
- vscode-solidity-auditor - Solidity Visual Developer
- vscode-vyper - Vyper language support
- solgrep - Scriptable semantic grep for Solidity
🤖 AI / Agent Ecosystem
- claude-code-container - Docker container for Claude Code
- vscode-chonky - Superhuman LLM Auditing Agent for Solidity
- pi-gitnexus - GitNexus knowledge graph integration for Pi
- pi-subagents - Sub-agents for Pi with parallel execution
- pi-messenger-bridge - Bridge messengers into Pi
- pi-manage-todo-list - Structured todo list management for Pi
- chonky-task-manager-mcp - Task management with MCP server
- pi-supervisor - Pi extension that supervises the coding agent
- vscode-chonky-remote-pilot - Multi-transport chat bridge for VS Code
- pi-schedule-prompt - Scheduling and reminding via prompt execution
- vscode-pi-model-chat-provider - VSCode Language Model Chat Provider for Pi
> trophy
OS agnostic, any programming language, any architecture, things will be reverse engineered if needed.
- 🏆 - SSL DROWN attack / Hon. mention
- 🏆 - Ethereum Bug Bounty
- 🏆 - Ethereum 2.0 Bug Bounty
- 🏆 - Research
- 🏆 - npm
📋 Public Disclosures — 40+ vulnerabilities across:
- Android — CVE-2017-13208 · RCE via DHCP out-of-bounds write (Android 5.1–8.1)
- OpenSSH — CVE-2016-3115 · CRLF injection to bypass shell-command restrictions
- PuTTY — CVE-2016-2563 · Stack-based buffer overflow RCE via SCP
- Python — CVE-2016-0772 · StartTLS stripping in smtplib
- Ethereum — Mist browser arbitrary command execution, Parity SOP bypass, Trinity & Teku DoS
- Nim — 6 CVEs including arbitrary code execution via package metadata
- IPFS — Path traversal, IPNS downgrading & takeover, CORS bypass
- Bitcoin miners — RCE & directory traversal in cgminer, bfgminer, Claymore
Be a Hero, tip a 🍺 🙂 ⟶ Ƀ: 1AZMeGVfCBbYwVYyG9s79pJDyocTZgiApa | Ξth: 0x438B38E30eF117C15fBfF833f9C2c70182925815