About Expertise Work Tools Writing Contact View my GitHub ↗
Available for security engagements

Gul Hameed

[ ]

I break things before attackers do. A senior security engineer working across the full offensive stack: web, mobile and API penetration testing, centralized exchange assessments, and deep smart contract audits across 9+ blockchain ecosystems.

gul@security: ~/audits

~ whoami

gul_hameed // senior security engineer

~ cat profile.json

{

"role": "Security Engineer",

"at": ["BlockApex", "Hacken"],

"covers": ["web", "mobile", "api", "web3"],

"ecosystems": 9

}

~ ./scan --target protocol

scroll
0
Blockchain ecosystems
0
Smart contract languages
0
Offensive security certs
01

Who's behind the keyboard

I'm Gul Hameed, a senior security engineer who lives where Web2 application security meets Web3 protocol auditing. My job is easy to say and hard to do: find the bug that drains the vault, or owns the server, before someone else does.

My work isn't only on-chain. I run full web, mobile and API security assessments, and with Hacken I've audited the platforms behind centralized exchanges: web apps, APIs and the infrastructure around them.

On-chain, I research Web3 security at BlockApex and audit dApps at Hacken. I've shipped audits for bridges, perpetuals, AMMs, lending markets, stablecoins, liquid staking tokens, oracles, launchpads and full appchain architectures, with a handful of valid findings on Cantina and HackenProof. On top of that I build the tooling that makes audits faster, I write, and I speak.

02

Ecosystems I hunt in

Nine chains, nine threat models. Each one has its own VM and its own footguns.

Ξ

EVM

Solidity reentrancy, delegatecall, oracle and bridge logic.

Solana

Account validation, PDAs, CPIs, perps and launchpads.

Cosmos

CosmWasm, appchains, IBC and module level invariants.

TON

Func and Tact actors, async messages, pool staking.

NEAR

Rust contracts, gas and cross contract callbacks.

ICP

Motoko and Rust canisters, inter-canister and cycles safety.

Aptos

Move resources, the ability model and formal specs.

Fuel

Sway and the FuelVM, UTXO model and predicate logic.

Canton

DAML privacy model, sub transaction structure and rights.

// Languages

Solidity Rust Move Motoko Tact Func Sway Go DAML

// Coverage & domains

Web app pentest Mobile API security CEX platforms Bridges Perpetuals AMMs Lending Stablecoins Liquid staking Oracles Launchpads Appchains
03

Selected audit work

Smart contract and protocol audits across the stack. Tap a card to open the report.

Web2 & exchange security

Not everything lives on-chain. With Hacken I've assessed six centralized exchange platforms across web, API and mobile.

KCEX Web & API penetration test View report ↗
MEXC Web & API penetration test Hacken engagement
CoinEx Mobile app assessment Hacken engagement
MAICOIN Web & API penetration test Hacken engagement
1money Web & API penetration test Hacken engagement
J-CAM Web & API penetration test Hacken engagement
20+ web2 projects Six exchanges here, plus web, mobile and API audits across more clients.
View all on GitHub ↗
04

Open source & tooling

Security tools and learning resources I build and maintain.

05

Writing & research

Methodology, deep dives and post-mortems from the front line.

06

Let's secure
something.

Auditing a protocol, hardening an exchange, threat-modeling a launch, or just want a second pair of adversarial eyes? My inbox is open.

contact.sh · try a command

Type help and hit enter. (try: whoami, skills, work, cex, contact)

~