EVM
Solidity reentrancy, delegatecall, oracle and bridge logic.
[ ▌ ]
I break things before attackers do. A senior security engineer working across the full offensive stack: web, mobile and API penetration testing, centralized exchange assessments, and deep smart contract audits across 9+ blockchain ecosystems.
➜ ~ whoami
gul_hameed // senior security engineer
➜ ~ cat profile.json
{
"role": "Security Engineer",
"at": ["BlockApex", "Hacken"],
"covers": ["web", "mobile", "api", "web3"],
"ecosystems": 9
}
➜ ~ ./scan --target protocol▌
I'm Gul Hameed, a senior security engineer who lives where Web2 application security meets Web3 protocol auditing. My job is easy to say and hard to do: find the bug that drains the vault, or owns the server, before someone else does.
My work isn't only on-chain. I run full web, mobile and API security assessments, and with Hacken I've audited the platforms behind centralized exchanges: web apps, APIs and the infrastructure around them.
On-chain, I research Web3 security at BlockApex and audit dApps at Hacken. I've shipped audits for bridges, perpetuals, AMMs, lending markets, stablecoins, liquid staking tokens, oracles, launchpads and full appchain architectures, with a handful of valid findings on Cantina and HackenProof. On top of that I build the tooling that makes audits faster, I write, and I speak.
Nine chains, nine threat models. Each one has its own VM and its own footguns.
Solidity reentrancy, delegatecall, oracle and bridge logic.
Account validation, PDAs, CPIs, perps and launchpads.
CosmWasm, appchains, IBC and module level invariants.
Func and Tact actors, async messages, pool staking.
Rust contracts, gas and cross contract callbacks.
Motoko and Rust canisters, inter-canister and cycles safety.
Move resources, the ability model and formal specs.
Sway and the FuelVM, UTXO model and predicate logic.
DAML privacy model, sub transaction structure and rights.
Smart contract and protocol audits across the stack. Tap a card to open the report.
DeFi protocol audit covering staking flows, reward distribution and access control across the contract suite.
View report ↗Audited the Axone appchain and its CosmWasm contracts: module invariants, message handling and Data Hub logic.
View report ↗Launchpad staking v2 and vesting contracts on Neutron: reward math, lockups and vesting schedule integrity.
View report ↗Smart contract audit of the Gemz protocol, reviewing token mechanics, core logic and access control.
View report ↗Liquid staking audit (stICP) on the Internet Computer, part of Meta Pool's multichain LST suite.
View report ↗An EVM compatible L1 with native account abstraction. Reviewed core chain contracts and the AA paymaster flows.
View report ↗EARN marketplace and ENS audits on Aurora, plus a full protocol threat model mapping the attack surface.
View report ↗These seven are highlights. See the full portfolio of 31 protocol audits on my GitHub.
View all on GitHub ↗Not everything lives on-chain. With Hacken I've assessed six centralized exchange platforms across web, API and mobile.
Security tools and learning resources I build and maintain.
Fast, deterministic Solidity pattern scanner derived from empirical audit gap analysis. An AI assisted smart contract vulnerability scanner.
A learning track for auditing Canton and DAML: the privacy model, sub transaction rights and the common pitfalls.
Static security review skill for NestJS / Node backends (MongoDB, web3). A Claude Code CI gate built on OWASP ASVS and the API Security Top 10.
Static security review skill for React Native / Expo apps. A Claude Code CI gate built on OWASP MASVS.
Methodology, deep dives and post-mortems from the front line.
Auditing a protocol, hardening an exchange, threat-modeling a launch, or just want a second pair of adversarial eyes? My inbox is open.
Type help and hit enter. (try: whoami, skills, work, cex, contact)