security
I audit blockchain systems, primarily Zero-Knowledge proving infrastructure (zkVMs, circuits, recursion layers) and DeFi protocols.
This page collects the security-relevant work I do: the professional audits I've contributed to, the certifications and coursework I've completed to keep my toolkit sharp, and the CTFs and wargames I practise on. Hover the next to a section title for what it means.
security audits In a security audit, a client hires an independent firm to review their code for vulnerabilities before (or soon after) it ships. Findings are documented with severity ratings, prioritised, and published as a report. Each entry below links to the public report.
ZisK zkVM — Binary & Main circuits review
OpenZeppelinZisK (0xPolygonHermez/zisk) · Nov 2025
Scope: PIL2 constraints for the ZisK zkVM: binary opcode circuits (binary.pil, binary_add.pil, binary_extension.pil, binary_extension_table.pil, binary_table.pil) and the main execution trace (main.pil)
ZisK is a general-purpose zkVM — a virtual machine that produces a zero-knowledge proof of any RISC-V program's execution. This engagement reviewed the core PIL2 arithmetic circuits (binary opcode evaluation and the main execution-trace constraints that stitch execution segments together). Thirteen issues surfaced, including one critical — see the public report below.
certifications & coursework Public certificates of completion for security- and smart-contract-focused courses I've taken. Each badge links to the course page; the Verify link goes to my public Cyfrin Profile so the completion can be confirmed by anyone.
-
Uniswap V2 · Cyfrin UpdraftdefiFeb 2026 -
Assembly and Formal Verification · Cyfrin Updraftformal-verificationFeb 2026 -
Foundry Fundamentals · Cyfrin UpdraftsolidityDec 2025 -
Solidity Smart Contract Development · Cyfrin UpdraftsolidityDec 2025
CTF & wargames CTFs (Capture The Flag) are competitive security challenge events — teams attack deliberately vulnerable code under a time limit, scoring points per flag captured. Wargames are the self-paced equivalent: public challenge sets with structured levels. Team CTFs and solo wargame progress are tracked separately below because they carry different signal.
team CTF events In-person, team-based competitions — typically run during conferences. Each row shows the team, the final rank out of the total number of teams, and (where relevant) the peak rank we reached during the competition.
1 event- Wonderland CTF 2026 · Cannes, France · 20269 / 34 peak 3Team Stack Too Deep · Adrià Torralba-Agell, Pol Ureña Heras, Gianfranco Bazzani, Ezequiel Pérez, Rubén Cruz AcevedoWonderland's on-site CTF during EthCC 9 in Cannes. Smart-contract security challenges (Solidity + EVM). The 9/34 badge is the final rank; peak 3 was our best standing during the event.
The Ethernaut OpenZeppelin's Solidity-based wargame. 40+ on-chain levels deployed to Sepolia; each level is a smart contract with a planted vulnerability. Solving a level means crafting the transaction sequence that exploits it.
18 / 41 solved · 1 in progress · last solved May 3, 2026Damn Vulnerable DeFi (v4)
Coming soon…Foundry-based DeFi security wargame by @tinchoabbate. 18 challenges modelled on real DeFi bugs — flash loans, oracle manipulation, upgrade bypasses. Solve each one by writing a Foundry test that reaches the target state.