~/blog
Findings, war stories, and alpha from the trenches of smart contract security — Move on Sui & Aptos, Solana/Rust, EVM, Cairo, ZK.
The Ghost Owner — How a Forgotten State Variable Could Resurrect Ownership from the Dead
A deceptively simple vulnerability in OpenZeppelin's Cairo contracts that could let an attacker reclaim ownership of a contract the entire world believed was ownerless.
read the full storyHow to Audit a Perp Protocol on Sui Move
Auditing perps on Sui requires a different checklist from EVM or Aptos. The object model, hot-potato request/response pattern, Programmable Transaction Blocks, and shared collateral vaults all reshape the attack surface — the Sui companion to the Aptos perp audit post.
read moreThe Upgrade Trap — How Versioned Objects Can Brick Protocols on Sui
Sui's Versioned wrapper lets protocols migrate shared objects across upgrades. But the same pattern creates an upgrade trap — if your immutable package depends on a versioned protocol, one migrate() call bricks you forever.
read moreSui's Cut Package — How Sui Freezes Its Execution Layer
How Sui uses the cut package mechanism to freeze its execution layer — snapshotting framework code at specific protocol versions for deterministic replay.
read moreMove VM Runtime — How Your Move Code Actually Runs
How the Move VM runtime actually executes your code — from bytecode loading to interpreter dispatch and native function calls.
read moreSui Execution Layer — A Security Researcher's Deep Dive
A deep dive into Sui's execution layer — how transactions flow from submission to state changes, and what security researchers should look for.
read moreSui Bella Ciao — Inside the New Move VM
Sui rewrote their entire Move VM. Here's how the new execution layer works, what changed from the old one, and where the interesting attack surface lives for security researchers.
read moreAI Security ML10: Model Poisoning
Rewriting the brain from the inside. Goes straight to the model's parameters — the numerical weights that encode everything it has learned — and edits them to produce attacker-controlled behaviour.
read moreAI Security ML09: Output Integrity Attack
The model was right. The answer was wrong. Every other attack tampers with the model — this one intercepts the correct answer on the way out and replaces it with a lie.
read moreAI Security ML08: Model Skewing
Slow poison through the feedback loop. The model wasn't broken on day one — it was steered slowly through fake feedback until its decisions aligned with exactly what the attacker needed.
read moreAI Security ML07: Transfer Learning Attack
The backdoor you inherited. The model passed every benchmark and scored well on your validation set — but it was trained to fail in exactly the one scenario the attacker controls.
read moreAI Security ML06: ML Supply Chain Attacks
The poison was already in the package. Did you audit every library your training script imported? Every model you downloaded from a public hub? The attack was already upstream.
read moreAI Security ML05: Model Theft
Your API is the heist. If a model is queryable, it is reconstructable. Every input-output pair is a brick — and a patient attacker will collect enough bricks to build your model themselves.
read moreAI Security ML04: Membership Inference Attack
You don't need to extract the training data. You just need to ask the right questions — and the model will tell you whose data it learned from, one confidence score at a time.
read moreAI Security ML03: Model Inversion Attack
How to invert the model to get the sensitive data.
read moreAI Security ML02: Data Poisoning Attack
How to poison the data to mislead the AI model.
read moreAI Security ML01: Input Manipulation Attack
How to deliberately alter input data to mislead the AI model.
read moreHow to Audit Aave V3 Fork Deployment Scripts
Learnings from auditing Aave V3 fork deployment scripts — the bug classes, the patterns, and the real findings from production audits.
read moreHow to Audit a Lending Protocol on Sui Move
Learnings from auditing a lending protocol on Sui Move.
read moreFormal Verification of Aptos Move Contracts Using Move Prover
How to formally verify aptos move contracts using move prover.
read moreFormal Verification of Current Sui Using Certora — Part 2
How I used Formal Verification to find bugs in Current Sui.
read moreFormal Verification of Current Sui Using Certora Sui Prover
How I mathematically proved that an eMode group assignment is immutable after obligation creation in a Sui DeFi lending protocol — using Certora's Sui Prover, parametric rules, and field accessors.
read moreZK Journey Week 5 — Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. Week 5 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreZK Journey Week 4 — Learning Zero Knowledge Proofs from Scratch
Week 4 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreHow to Audit a Gold-Backed Staking Protocol on Solana
Learnings from auditing a gold-backed staking protocol on Solana.
read moreHow to Audit a Stablecoin Protocol
Learnings from auditing a stablecoin protocol.
read moreThe Move Auditor
It's claude skill season, and I am introducing the move-auditor skill.
read moreZK Journey Week 3 — Learning Zero Knowledge Proofs from Scratch
Week 3 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreI Open-Sourced My AI Audit Workflow — Prompts, Pipelines, and Everything I Learned
I open-sourced my AI audit workflow — prompts, pipelines, and everything I learned.
read moreZK Journey Week 2 — Learning Zero Knowledge Proofs from Scratch
Week 2 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreAuditing a Perp Protocol on Aptos Move
Learnings from auditing a fully on-chain perp DEX in Move on Aptos — orderbook mechanics, oracle integration, liquidation engine, funding rate, and the bugs that actually matter.
read moreField Order Is Sort Order — How Struct Layout Silently Breaks Ordered Maps in Move
Move compares structs lexicographically by field declaration order. If you use a struct as a key in an ordered map, the first field dominates sorting — not the field you think matters. A real bug from Decibel Exchange's perpetual futures DEX on Aptos.
read moreThe Silent Killer in Move: How return vs abort Silently Corrupts State on Chain
A real bug from Aptos core's trading engine that permanently deleted orders on an "error" path. The root cause? A return where there should have been an abort. Applies to both Aptos and Sui Move.
read moreZK Journey Week 1 — Why a Move Security Researcher Is Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. Week 1 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreThe Move Bug That Would Have Bricked AAVE on Aptos Before Day One
A $24K finding from the AAVE Aptos V3 audit on Cantina. The bug was embarrassingly simple — data stored at one address, every getter reading from another. The entire protocol would have been dead on arrival.
read moreHow to Win a Public Contest: Lessons from 6× Top 3 Finishes
Zero fluff, pure trenches-tested insights from climbing to the top 50s on Cantina. This is the alpha that actually moved the needle — not theory, not vibes, just what works when you're deep in the code at 3 AM and the leaderboard is watching.
read more