0xabdullahx0
Web3 Security Researcher specializing in Solidity/Rust smart contract audits across Ethereum, Solana, and hybrid Web2/Web3 infrastructure security assessments.
Programming Languages
Expertise & Skills
Let Us Help You Connect
Our team can assist with project requirements, timeline coordination, and finding the perfect match
Portfolio & Experience
Detailed audit history and technical expertise
Portfolio of Audits & Responsible Disclosures
About Me
I am a cybersecurity professional with over five years of experience, specializing in Web3 and blockchain security for the past two years. My expertise lies in auditing smart contracts and assessing the security of blockchain-related products.
I have extensive experience auditing Solidity and Rust-based contracts across both EVM and non-EVM blockchains, with a particular focus on Ethereum and Solana. In addition to smart contract audits, I am proficient in identifying Web2 threats affecting blockchain systems, auditing wallet extensions, backend infrastructures, and Web2/Web3 hybrid solutions.
Currently Working at Smart Contract Auditor at Blockapex
For private audits or security consulting, please reach out to me on:
Twitter - @0xabdullahx0 LinkedIn - Muhammad Abdullah
Team Audit Reports
| Protocol | Type | Audit Report |
|---|---|---|
| Amet Finance - Zero Coupon Bonds Issuance Protocol | Solidity , EVM | Audit Report |
| Adot Finance - Bridge and NFT Marketplace on Lightlink | Solidity , EVM | Audit Report |
| Axone Blockchain - AI orchestration | GO | Audit Report |
| Ensofi - DeFi Lending/Borrowing | Rust , Solana | Audit Report |
| Lightlink Bridge | Backend | Audit Report |
| Popfi - DeFi Pepetual Dex | Rust , Solana | Audit Report |
| ScriptTv - L1 Blockchain | Geth (Golang) | Audit Report |
| Stakera - Lottery Protocol | Rust , Solana | Audit Report |
| Stashed Wallet Extension - Chrome Wallet Extension | Audit Report | |
| Pumpkin.fun | Rust , Solana | Audit Report |
| Dorafactory (Dora Bridge) | Solidity | Private |
| Alethai.ai - pump.fun clone for AI agents | Rust , Solana | Private |
| Livaat Metaverse | Solidity | Private |
| Enjoyoors | Rust , Solana | Private |
| Toucan LightLink - Cross-Chain Governance & LayerZero OFTs | Solidity | |
| Metapool | Rust , Near | Audit Report |
| TokenMetrics (TMAI) | Solidity, Ethereum | Private |
Public Contest
| Date | Platform | Protocol | Position | Findings |
|---|---|---|---|---|
| Mar 2025 | Cantina | ColorPool | 13 | 1H,3M |
Hackathons
| Name | Submission | Position |
|---|---|---|
| REDACTED(2025) | Overlooked web2 vulnerabilities in web3 Realm | Winner :trophy: Announcement |
Responsible Disclosures
| Issue | Company | Writeup/HOF |
|---|---|---|
| s3 Bucket takeover leading to KYC information | Moneytoken | https://medium.com/@mahitman1/i-own-your-customers-22e965761abd |
| Accessing to KYC information of a Crypto Exchange | Bilaxy | https://medium.com/@mahitman1/i-own-your-customers-22e965761abd |
| SQL Injection in a Plutus.io | Plutus | https://medium.com/@mahitman1/hacking-a-crypto-debit-card-service-730f287aaee7 |
| Nacos Instance leading to Backend Keys | H&M | https://medium.com/@mahitman1/how-i-found-a-goldmine-but-got-no-gold-e912a89fa522 |
| Access to Air Conditioning Panels | H&M | https://medium.com/@mahitman1/how-attacker-could-have-suffocated-the-company-staff-37a6b7192f12 |
| SSRF leading to Backend | Cargo.build | https://medium.com/@mahitman1/hacking-a-nft-platform-56fc59479d3b?source=user_profile---------1---------------------------- |
| Free Wallet TopUp | CJDropshipping | https://medium.com/@mahitman1/free-wallet-topups-f814bb56640f |
| XSS In Apple's Acquisition | BeatsByDre | http://exploiting365.blogspot.com/2016/03/xss-in-beatsbydrecom.html |
| XSS In Steam | Steam | http://exploiting365.blogspot.com/2016/03/xss-in-steamcommunity.html |
| XSS In Apptentive | Apptentive | http://exploiting365.blogspot.com/2016/03/cross-site-scripting-xss-in-apptentive.html |
| XSS In Hackpad | DropBox | http://exploiting365.blogspot.com/2015/09/cross-site-scripting-in-hackpad.html |
| XSS In Ebay | Ebay | https://pages.ebay.com/securitycenter/security_researchers_acknowledgements.html |
| Access to Redis Instance | Silvergoldbull | |
| Subdomain Takeover | Silvergoldbull | |
| Blind XSS In Crypto Exchange | Bilaxy | |
| Access to KYC File of CryptoExchange | rekeningku | |
| Stealing user funds via leveraging CSRF | Bilaxy | |
| Blind XSS in admin panel | Dflow | |
| CSRFs in Skypixel.com | DJI | |
| XXE in Solaredge.com | Solaredge | https://www.solaredge.com/bug-bounty-leaderboard |
| RCE in Cybozu.co.jp | Cybozu.co.jp | |
| Access to Admin Dashboard | Plutus.it | |
| Blind XSS in Oneplus | Oneplus | |
| Directory Traversal in Oneplus | Oneplus | |
| Misconfigured s3 Bucket | Sphero | |
| Account takeover using CSRF | Sphero | |
| Subdomain Takeover | Sphero | |
| XSS in Opera.com | Opera | https://blogs.opera.com/security/2014/01/thanks-researchers-2014/ |
| XSS in Unity3d.com | Unity | |
| XSS in Vmware.com | Vmware | |
| Log4j in tcl | TCL | |
| Nacos panel Misconfiguration leading to Credentials | TCL | |
| SQL Injection in Terravirtua | Virtua | |
| Access to multiple instance of 204 netman | H&M |