~/blog
Findings, war stories, and alpha from the trenches of smart contract security — Move on Sui & Aptos, Solana/Rust, EVM, Cairo, ZK.
// start here — four posts that best show how I work
The Ghost Owner — How a Forgotten State Variable Could Resurrect Ownership from the Dead
A deceptively simple vulnerability in OpenZeppelin's Cairo contracts that could let an attacker reclaim ownership of a contract the entire world believed was ownerless.
read the full storyPrivate Bug Bounty Triage: Validating and Reproducing Web3 Findings
A concise breakdown of my private triage workflow: validating Web3 findings, writing deterministic PoCs after triage, and packaging clean impact evidence without leaking client details.
read moreHow to Audit a Perp Protocol on Sui Move
Auditing perps on Sui requires a different checklist from EVM or Aptos. The object model, hot-potato request/response pattern, Programmable Transaction Blocks, and shared collateral vaults all reshape the attack surface — the Sui companion to the Aptos perp audit post.
read moreThe Upgrade Trap — How Versioned Objects Can Brick Protocols on Sui
Sui's Versioned wrapper lets protocols migrate shared objects across upgrades. But the same pattern creates an upgrade trap — if your immutable package depends on a versioned protocol, one migrate() call bricks you forever.
read moreMove VM Runtime — How Your Move Code Actually Runs
How the Move VM runtime actually executes your code — from bytecode loading to interpreter dispatch and native function calls.
read moreSui Execution Layer — A Security Researcher's Deep Dive
A deep dive into Sui's execution layer — how transactions flow from submission to state changes, and what security researchers should look for.
read moreSui's Cut Package — How Sui Freezes Its Execution Layer
How Sui uses the cut package mechanism to freeze its execution layer — snapshotting framework code at specific protocol versions for deterministic replay.
read moreSui Bella Ciao — Inside the New Move VM
Sui rewrote their entire Move VM. Here's how the new execution layer works, what changed from the old one, and where the interesting attack surface lives for security researchers.
read moreAI Security ML10: Model Poisoning
Rewriting the brain from the inside. Goes straight to the model's parameters — the numerical weights that encode everything it has learned — and edits them to produce attacker-controlled behaviour.
read moreAI Security ML09: Output Integrity Attack
The model was right. The answer was wrong. Every other attack tampers with the model — this one intercepts the correct answer on the way out and replaces it with a lie.
read moreAI Security ML08: Model Skewing
Slow poison through the feedback loop. The model wasn't broken on day one — it was steered slowly through fake feedback until its decisions aligned with exactly what the attacker needed.
read moreAI Security ML07: Transfer Learning Attack
The backdoor you inherited. The model passed every benchmark and scored well on your validation set — but it was trained to fail in exactly the one scenario the attacker controls.
read moreAI Security ML06: ML Supply Chain Attacks
The poison was already in the package. Did you audit every library your training script imported? Every model you downloaded from a public hub? The attack was already upstream.
read moreAI Security ML05: Model Theft
Your API is the heist. If a model is queryable, it is reconstructable. Every input-output pair is a brick — and a patient attacker will collect enough bricks to build your model themselves.
read moreAI Security ML04: Membership Inference Attack
You don't need to extract the training data. You just need to ask the right questions — and the model will tell you whose data it learned from, one confidence score at a time.
read moreAI Security ML03: Model Inversion Attack
Reconstructing training secrets from nothing but model outputs — how attackers invert a model's predictions to recover the sensitive data it learned from.
read moreAI Security ML02: Data Poisoning Attack
A handful of poisoned training samples can flip a model's behaviour on exactly the inputs an attacker cares about — here's how the attack works and where to defend.
read moreAI Security ML01: Input Manipulation Attack
Adversarial inputs that look normal to humans but flip a model's decision — the attack class that breaks fraud filters, content moderation, and on-chain ML oracles.
read moreHow to Audit Aave V3 Fork Deployment Scripts
Learnings from auditing Aave V3 fork deployment scripts — the bug classes, the patterns, and the real findings from production audits.
read moreHow to Audit a Lending Protocol on Sui Move
Share-ratio manipulation, eMode edge cases, oracle staleness, and the liquidation paths that actually break — a field checklist from a live Sui lending audit.
read moreFormal Verification of Aptos Move Contracts Using Move Prover
Setting up the Move Prover on a real Aptos codebase: writing spec blocks, proving aborts_if conditions, and the invariants that catch bugs manual review misses.
read moreFormal Verification of Current Sui Using Certora — Part 2
Using Certora's Sui Prover to encode borrow restrictions as parametric rules — and what the prover surfaced that manual review walked past.
read moreFormal Verification of Current Sui Using Certora Sui Prover
How I mathematically proved that an eMode group assignment is immutable after obligation creation in a Sui DeFi lending protocol — using Certora's Sui Prover, parametric rules, and field accessors.
read moreZK Journey Week 5 — Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. Week 5 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreZK Journey Week 4 — Learning Zero Knowledge Proofs from Scratch
Week 4 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreHow to Audit a Gold-Backed Staking Protocol on Solana
RWA-backed staking on Solana: mint/redeem trust boundaries, reward accounting, oracle dependencies, and the Anchor account-validation traps from a real engagement.
read moreHow to Audit a Stablecoin Protocol
Peg mechanics, collateral accounting, mint/burn access paths, and diamond-pattern upgrade risk — what I check first in every stablecoin review.
read moreThe Move Auditor
Introducing move-auditor — an open-source Claude skill that runs a structured security-audit pipeline over Move codebases, built from my real engagement workflow.
read moreZK Journey Week 3 — Learning Zero Knowledge Proofs from Scratch
Week 3 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreI Open-Sourced My AI Audit Workflow — Prompts, Pipelines, and Everything I Learned
The full prompt pipeline I use to assist real audits — recon, hypothesis generation, verification gates — published with notes on what worked and what didn't.
read moreZK Journey Week 2 — Learning Zero Knowledge Proofs from Scratch
Week 2 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreAuditing a Perp Protocol on Aptos Move
Learnings from auditing a fully on-chain perp DEX in Move on Aptos — orderbook mechanics, oracle integration, liquidation engine, funding rate, and the bugs that actually matter.
read moreField Order Is Sort Order — How Struct Layout Silently Breaks Ordered Maps in Move
Move compares structs lexicographically by field declaration order. If you use a struct as a key in an ordered map, the first field dominates sorting — not the field you think matters. A real bug from Decibel Exchange's perpetual futures DEX on Aptos.
read moreThe Silent Killer in Move: How return vs abort Silently Corrupts State on Chain
A real bug from Aptos core's trading engine that permanently deleted orders on an "error" path. The root cause? A return where there should have been an abort. Applies to both Aptos and Sui Move.
read moreZK Journey Week 1 — Why a Move Security Researcher Is Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. Week 1 of my ZK learning journey at the Rare Skills ZK Bootcamp.
read moreThe Move Bug That Would Have Bricked Aave on Aptos Before Day One
A $24k contest finding from the Aave Aptos V3 audit on Cantina. The bug was embarrassingly simple — data stored at one address, every getter reading from another. The entire protocol would have been dead on arrival.
read moreHow to Win a Public Contest: Lessons from 6× Top 3 Finishes
Zero fluff, pure trenches-tested insights from climbing to the top 50s on Cantina. This is the alpha that actually moved the needle — not theory, not vibes, just what works when you're deep in the code at 3 AM and the leaderboard is watching.
read more