MRH Smart contract security Contact ↗

Independent security researcher · MD

Muhammad Rifqi Haikal

I review smart contracts and protocol logic across EVM, XRP Ledger, and Solana systems. My public record includes five findings on Sherlock and Cantina, three rated medium severity.

Muhammad Rifqi Haikal
Banjarmasin, Indonesia kudaliar / 0xNoramiya
05 public findings across Sherlock and Cantina
03 medium-severity findings on Sherlock
#32 best Sherlock placement and one top-50 finish
#48/269 Cantina placement in Revert Finance StableSwap Hooks

01 / Audit work

Public results and findings.

Sherlock and Cantina results, with protocol context and public source links.

Sherlock

XRP Ledger protocol review

XRP Ledger

2 medium
  • Vault owners and sponsors cannot transfer, reassign, or end sponsorship because ValidVault rejects a SponsorshipTransfer that modifies a vault.
  • A minimally funded reserve sponsor causes legitimate sponsored XRP AMMDeposit transactions to reject the liquidity provider.
Placement
#75
Payout
444.81 USDC
Sherlock record ↗
Sherlock

DeFi lending review

Current Finance

1 medium
  • A depositor can exceed the protocol deposit caps, breaking the intended exposure limit.
Placement
#32
Result
Top 50
Finding detail ↗
Cantina

DeFi hooks competition

Revert Finance — StableSwap Hooks

2 findings
  • Two public findings accepted in a field of 269 participants.
Placement
#48 / 269
Payout
$44.15
Cantina record ↗
Sherlock · Apr 2026 Clear Macro by Superfluid — additional paid result Placement #162

02 / Selected work

Systems built beyond the audit queue.

Selected from 30+ repositories · security, protocol systems, clinical computing, and threat intelligence.

03 / Writing

Notes from the work.

Reproduction notes, challenge writeups, and postmortems.

04 / Background

Practice and technical range.

Independent research, CTFs, and applied systems work.

Experience

2025 — Present

Independent Smart Contract Security Researcher

Remote · Sherlock, Cantina, CodeHawks, Code4rena

  • Five public findings across Sherlock and Cantina, including three medium-severity issues.
  • Reviewing DeFi accounting, protocol invariants, access control, sponsorship semantics, oracle assumptions, and Solana CPI boundaries.
  • Building open-source tooling for on-chain investigation, privacy-preserving systems, and security analysis.
2024 — Present

CTF Player — TCP1P

CTFTime profile ↗

  • Solved 100+ challenges across 30+ competitions in web, Web3, cryptography, RF/SDR, forensics, pwn, and reverse engineering.
  • Competing with TCP1P, currently ranked #1 in Indonesia on CTFTime's 2026 country leaderboard.
  • Authored Web3 challenges for the TCP1P CTF platform.

Practice areas

Protocol review

DeFi accounting and invariants, access control, proxy and ABI edge cases, oracle assumptions, Solana CPI verification.

Languages

Solidity, Rust and Anchor, Python, TypeScript, JavaScript, Compact, SQL, and Bash.

Applied security

On-chain forensics, web exploitation, cryptography, RF/SDR, OSINT, threat intelligence, and Linux privilege escalation.

Clinical systems

FHIR, clinical retrieval, medical workflow agents, MCP, FastAPI, PostgreSQL, structured verification, and data masking.

Certifications

  • Cyfrin Updraft — Smart Contract Security
  • Cyfrin Updraft — Uniswap V4
  • Cyfrin Updraft — Advanced Web3 Wallet Security

05 / Achievements

Selected competition results.

Hackathons, audit competitions, and CTFs.

Hackathons

1stMidnight Network Hackathon — Healthcare Track (2026)
1stAgents Assemble — The Healthcare AI Endgame
2ndDevNetwork AI + ML Hackathon — TrueFoundry Track (2026)
3rdSolana MagicBlock Hackathon (2026)
3rdWeb Data Unlocked Hackathon
Top 5HackerRank Orchestrate Hackathon
Top 10Paradigm Optimization Hackathon

Security

#1CodeHawks First Flight #56 (2025)

CTF

3rdRITSEC CTF — TCP1P (2026)
FinalistWaskita Manunggal Siber CTF (2026)
Top 15CyberAcademy Helium Challenge (2026)