// security research & notes

Breaking things
carefully,
then writing
about it.

I'm Michelle — security engineer sharing pentesting research, study notes, and lessons from the field. Complex topics, approachable language.

CRTP · CEH · Published in Block Magnates · Guest on 她Ta Zhi Dao · Public notes on HackMD

Featured · Block Magnates

Breaking into Web3:
Hacking On-Chain Smart Contracts

2025 · Block Magnates · 8 min read

A single missed check can drain millions.

An introduction to smart contract security — how the EVM works, where vulnerabilities hide, and a step-by-step breakdown of a classic reentrancy exploit.

function withdraw() external {
    require(balances[msg.sender] > 0);

    (bool success, ) = msg.sender.call{
        value: balances[msg.sender]
    }("");

    balances[msg.sender] = 0;  // state updated after external call
}

// Fix: checks-effects-interactions pattern
function withdrawSafe() external {
    uint256 amount = balances[msg.sender];
    balances[msg.sender] = 0;  // state first
    (bool success, ) = msg.sender.call{value: amount}("");
}

smart contracts web3 reentrancy solidity

Feb 26

Cybersecurity, Scammers, and Confidence

Guest on 她Ta Zhi Dao — how scammers collect your data, social engineering in Asia, and building confidence as a woman in security.

social engineering podcast

Podcast 2025

My First On-Chain Hacking: Fallback

Solving Ethernaut's Fallback challenge — claiming contract ownership and draining funds by exploiting how Solidity handles fallback functions.

ethernaut web3 solidity

Article

Reference

CRTP Study Notes

Full AD red team kill chain — from AMSI bypass and domain enumeration to Kerberos attacks, persistence, and cross-forest trust abuse.

Cheatsheet

Exploiting Databases

SQL injection and exploitation reference for Oracle, MySQL, and PostgreSQL — from union-based extraction to RCE and WAF bypass.

Notes

Exploiting ViewState

ASP.NET deserialization to RCE via ysoserial.net — TypeConfuseDelegate and ActivitySurrogateSelector gadget chains explained.

About

Security engineer based in Taipei. I spend my days finding what's broken in systems and helping organizations understand what's actually at risk.

I believe the best security writing makes complex topics feel approachable without dumbing them down. If something cost me hours to figure out, I write it down so it costs you minutes.

Currently: researching, breaking, documenting.
Drawing diagrams nobody asked for.

Connect

→ LinkedIn → Medium → mnhartono@gmail.com

Breaking thingscarefully,then writingabout it.

Breaking into Web3:Hacking On-Chain Smart Contracts

Breaking things
carefully,
then writing
about it.

Breaking into Web3:
Hacking On-Chain Smart Contracts