Security research
Since 2026 I've worked as an independent smart contract security researcher on Immunefi and Cantina bug bounty programs, focusing on EVM protocols - perpetuals, lending, restaking and real-world assets.
The pipeline
I built my research tooling end-to-end in Python: an Immunefi scraper backed by a 216-programme database, static analysis via Slither, Mythril and Semgrep, exploit-pattern matching against historical incidents (Euler, Nomad, Wormhole) and CTF corpora, LLM-generated analysis briefs, and automated Markdown and Telegram reporting. Separate analyser runners cover Solana, CosmWasm and Move alongside EVM.
Methodology
- Pinned-block Foundry fork proof-of-concepts against live deployments - findings are demonstrated, not speculated.
- EIP-1967 deployed-versus-repository implementation diffs read straight from proxy storage slots. On one target this proved the live contract was an unfixed earlier version than the public repository suggested.
- Compiler-bug exposure checks, e.g. Vyper reentrancy-lock versions.
- A per-chain knowledge base (Ethereum L1, Arbitrum, OP Stack/Base, zkSync Era, Solana, Cosmos/CosmWasm) with attack-class, compiler-bug and environment-feasibility checklists that drive target selection.
Confirmed findings
- TipRun contract - a confirmed critical-severity finding.
- 0xMarkets - four confirmed findings (High and Medium severity).
Track record, honestly
Around 90 protocol assessments so far - Ostium, Polymarket, Morpho, Pendle, Renzo, Maple, Enzyme, Usual, GammaSwap and others. Several targets I cleared as genuinely hardened after full review rather than filing low-confidence reports - I'd rather have a short list of real findings than a long list of noise.
The Ostium work is representative of how I approach a target: a candidate liquidation-check bypass where the liquidation flag is latched at mid price while trade value is recomputed at post-impact price - unlike the sibling automation path - supported by a Foundry fork proof-of-concept against the live deployment.
Agent security tooling
Hackathon builds from 2026, all at the intersection of AI agents and on-chain risk:
- aegis402 (Casper Agentic Buildathon) - an x402 pay-per-call risk oracle implementing both sides of the payment loop: a buyer skill that parses the HTTP 402 challenge and signs an EIP-712 TransferWithAuthorization digest with a secp256k1 Casper key, and a seller oracle that verifies and settles on-chain before returning a risk verdict. Odra/Rust CEP-18 contract deployed and verified on testnet; exposed via MCP and LangChain.
- guardskill (Pharos Agent Carnival) - a pre-transaction contract risk gate that analyses bytecode with no source available: an opcode walker that skips PUSH data and strips the Solidity metadata trailer, proxy-pattern detection (EIP-1967, UUPS, beacon, EIP-1167), and read-only ERC-20 probes flagging upgradeability, owner-mint, pause/blacklist controls and selfdestruct. Ships as a LangChain tool, an MCP server and an agent-kit action.
- tradeguard (BNB Chain) - a CoinMarketCap-sponsored strategy skill paired with an on-chain risk gate: bytecode analysis and PancakeSwap liquidity/tax/honeypot checks over BSC RPC, read-only with no private key, reported with quantified backtests that publish the losing strategies alongside the winning ones.