Security

For security teams and recruiters: the short version of what I find, how I prove it, and the upstream code I've shipped. I work on cross-chain infrastructure and smart-contract security — Rust and EVM — and I'm partial to the one accounting bug that lets a bridge print money.

Merged upstream

• alloy-rs/core #1105merged — EIP-712 self-referential struct canonicalization in dyn-abi. alloy is the Ethereum Rust library under Foundry and Reth.
• uutils/coreutils #12327merged — date timezone re-zoning in the Rust rewrite of GNU coreutils.

Bridge audit — lock-mint-bridge-lab

A lock-and-mint bridge I built and audited end-to-end, written up in auditor format. Each finding lists the severity, the invariant it broke, the impact, the proof-of-concept, the fix, and the revert-fails regression that turns the test red again if the fix is removed. Full suite and write-ups: github.com/0xSoftBoi/lock-mint-bridge-lab.

• supply ≤ collateralcritical

  Invariant broken — total minted supply on the remote chain could exceed locked collateral on the home chain.

  Impact — unbacked mint: the bridge prints money and drains backing.

  PoC — stateful invariant handler in the suite that drives lock / mint / burn / release sequences until the accounting identity fails.

  Fix — enforce mintedSupply ≤ lockedCollateral at the mint boundary.

  Regression — a revert-fails test that re-applies the exploit sequence and asserts the invariant now holds; delete the guard and it goes red.

• attestation gatehigh

  Invariant broken — a mint could be authorized without a valid, unconsumed attestation from the home chain.

  Impact — unauthorized and replayed mints: double-spend of a single lock.

  PoC — handler attempts mint with absent, malformed, and already-consumed attestations.

  Fix — gate every mint on a verified attestation and mark it consumed (one lock, one mint).

  Regression — revert-fails tests for the no-attestation and replay paths that fail closed once the gate is removed.

Exploit reproductions in the same suite — replays of Ronin, Wormhole, and Nomad — run as standing regressions the bridge must survive, not as findings against my own code.

Tooling & method

• Foundry stateful invariants — the core harness, run 512×100 (runs × depth) to push the accounting and attestation invariants under long randomized call sequences.
• Slither — static analysis pass over the contract set.
• Halmos — symbolic checks on the invariants that benefit from exhaustive reasoning over a bounded input space.
• Wake — fuzzing, used on the CoW TWAP router work below.
• SWC / CWE mapping — findings tagged to the standard weakness taxonomies so they read in a recruiter's and an auditor's vocabulary.

Related repos

• quantgroup — constant-product AMM annotated for auditors: attack simulations, stateful invariants, SWC/CWE mapping.
• cowswaprouter — CoW TWAP router with Wake fuzzing.
• zk-dark-chess — zero-knowledge dark chess (Circom + Groth16).
• fhe-dark-chess — fully-homomorphic dark chess (Zama tfhe-rs).

Background on the about page; research on the research page.