Latest Posts
The Ghost Owner — How a Forgotten State Variable Could Resurrect Ownership from the Dead
A deceptively simple vulnerability in OpenZeppelin's Cairo contracts that could let an attacker reclaim ownership of a contract the entire world believed was ownerless.
Read the full storyField Order Is Sort Order — How Struct Layout Silently Breaks Ordered Maps in Move
Move compares structs lexicographically by field declaration order. If you use a struct as a key in an ordered map, the first field dominates sorting — not the field you think matters. A real bug from Decibel Exchange's perpetual futures DEX on Aptos.
Read moreHow to win a public contest: Lessons from 6x Top 3 Finishes
Zero fluff, pure trenches-tested insights from climbing to the top 50s on Cantina. This is the alpha that actually moved the needle — not theory, not vibes, just what works when you're deep in the code at 3 AM and the leaderboard is watching.
Read moreThe Move Bug That Would Have Bricked AAVE on Aptos Before Day One
A $24K finding from the AAVE Aptos V3 audit on Cantina. The bug was embarrassingly simple — data stored at one address, every getter reading from another. The entire protocol would have been dead on arrival.
Read moreZK Journey Week 1 — Why a Move Security Researcher Is Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. This is week 1 of my ZK learning journey at the Rare Skills ZK Bootcamp.
Read moreThe Silent Killer in Move: How return vs abort Silently Corrupts State on Chain
A real bug from Aptos core's trading engine that permanently deleted orders on an "error" path. The root cause? A return where there should have been an abort. This pattern applies to both Aptos and Sui Move.
Read moreAuditing a Perp Protocol on Aptos Move
Learnings from auditing a fully on-chain perp DEX in Move on Aptos.
Read moreZK Journey Week 2 — Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. This is week 2 of my ZK learning journey at the Rare Skills ZK Bootcamp.
Read moreI Open-Sourced My AI Audit Workflow — Prompts, Pipelines, and Everything I Learned
I open-sourced my AI audit workflow — prompts, pipelines, and everything I learned.
Read moreZK Journey Week 3 — Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. This is week 3 of my ZK learning journey at the Rare Skills ZK Bootcamp.
Read moreThe Move Auditor
It's claude skill season, and I am introducing move-auditor skill.
Read moreHow to Audit a Stablecoin Protocol
Learnings from auditing a stablecoin protocol.
Read moreHow to Audit a Gold-Backed Staking Protocol on Solana
Learnings from auditing a gold-backed staking protocol on Solana.
Read moreZK Journey Week 4 — Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. This is week 4 of my ZK learning journey at the Rare Skills ZK Bootcamp.
Read moreZK Journey Week 5 — Learning Zero Knowledge Proofs from Scratch
As a Move security researcher, I need to understand ZK proofs deeply — not just what they do, but how they work under the hood. This is week 5 of my ZK learning journey at the Rare Skills ZK Bootcamp.
Read moreFormal Verification of Current Sui Using Certora Sui Prover
How I mathematically proved that an eMode group assignment is immutable after obligation creation in a Sui DeFi lending protocol — using Certora's Sui Prover, parametric rules, and field accessors.
Read moreFormal Verification of Current Sui Using Certora Part 2
How I used Formal Verification to find bugs in current sui.
Read moreFormal Verification of Aptos Move Contracts Using Move Prover
How to formally verify aptos move contracts using move prover.
Read moreHow to Audit a Lending Protocol on Sui Move
Learnings from auditing a lending protocol on Sui Move.
Read moreHow to Audit Aave V3 Fork Deployment Scripts
Learnings from auditing Aave V3 fork deployment scripts — the bug classes, the patterns, and the real findings from production audits.
Read moreAI Security ML01: Input Manipulation Attack
How to deliberately alters input data to mislead the AI model.
Read moreAI Security ML02: Data Poisoning Attack
How to poison the data to mislead the AI model.
Read moreAI Security ML03: Model Inversion Attack
How to invert the model to get the sensitive data.
Read moreAI Security ML04: Membership Inference Attack
You don't need to extract the training data. You just need to ask the right questions — and the model will tell you whose data it learned from, one confidence score at a time.
Read moreAI Security ML05: Model Theft
Your API is the heist. If a model is queryable, it is reconstructable. Every input-output pair is a brick — and a patient attacker will collect enough bricks to build your model themselves.
Read moreAI Security ML06: ML Supply Chain Attacks
The poison was already in the package. Did you audit every library your training script imported? Every model you downloaded from a public hub? The attack was already upstream.
Read moreAI Security ML07: Transfer Learning Attack
The backdoor you inherited. The model passed every benchmark and scored well on your validation set — but it was trained to fail in exactly the one scenario the attacker controls.
Read moreAI Security ML08: Model Skewing
Slow poison through the feedback loop. The model wasn't broken on day one — it was steered slowly through fake feedback until its decisions aligned with exactly what the attacker needed.
Read moreAI Security ML09: Output Integrity Attack
The model was right. The answer was wrong. Every other attack tampers with the model — this one intercepts the correct answer on the way out and replaces it with a lie.
Read moreAI Security ML10: Model Poisoning
Rewriting the brain from the inside. Goes straight to the model's parameters — the numerical weights that encode everything it has learned — and edits them to produce attacker-controlled behaviour.
Read moreSui Bella Ciao — Inside the New Move VM
Sui rewrote their entire Move VM. Here's how the new execution layer works, what changed from the old one, and where the interesting attack surface lives for security researchers.
Read moreSui Execution Layer — A Security Researcher's Deep Dive
A deep dive into Sui's execution layer — how transactions flow from submission to state changes, and what security researchers should look for.
Read moreMove VM Runtime — How Your Move Code Actually Runs
How the Move VM runtime actually executes your code — from bytecode loading to interpreter dispatch and native function calls.
Read moreSui's Cut Package — How Sui Freezes Its Execution Layer
How Sui uses the cut package mechanism to freeze its execution layer — snapshotting framework code at specific protocol versions for deterministic replay.
Read more