Jakub
Experienced Lead Blockchain Security Auditor, specialized in non-EVM chains and offchain penetration testing. Expert in MOVE, Rust and Golang.
Programming Languages
Expertise & Skills
Let Us Help You Connect
Our team can assist with project requirements, timeline coordination, and finding the perfect match
Portfolio & Experience
Detailed audit history and technical expertise
Portfolio of audits and certificates
About me
I am a cybersecurity expert with more than eight years of experience in the industry. For three years associated with blockchain technology as a Lead Smart Contract and Blockchain auditor. I conducted over 110 audits of various protocols, mostly related to Decentralized Finances. I am specializing in the security of contracts written in Rust, Golang and MOVE, in technologies such as CosmWasm, Sui/Aptos/Movement, NEAR, Ink!, Substrate and Solana, as well as i have a deep technical understanding of EVM and Solidity. I participated in assessments testing low-level aspects of blockchain technology, such as finality proof verifications, serialization libraries, rollups as well as implementations of bridges between many different ecosystems. I have an experience in auditing Layer 1 Blockchains written in Rust, Golang and MOVE. Additionally, i have an experience in testing offchain components such as wallets, infrastructures, oracles and Metamask Snaps. My experience covers also more niche languages, such as Pact, Noir and Rell. Before moving to Web3, I was a Lead Security Researcher and Penetration Tester managing a team of up to 10 engineers. I am also specialized in low-level binary exploitation in both UNIX and Windows environments. Holder of OSCP, OSCE and Lead ISO27001 Auditor certificates.
CEO & Cofounder at Monethic. Currently, I'm also an ASR at Spearbit, Lead Blockchain Security Auditor at Oak Security, Zenith, Sub7, Sayfer, Formal Verification Ambassador at Certora and Lead Smart Contract Security Auditor at Hacken. Additionally, i am a judge on Cantina.
For private audits or security consulting, please reach out to me on:
- Twitter - @JakubHeba
- LinkedIn - Jakub Heba
You can also request a quote on Monethic or Cantina.
Current public reports count: 86
Private & Solo Audits
| Protocol | Type | Report |
|---|---|---|
| Legion Solana - Solana private Code4rena (Zenith) assessment | Rust, Solana | 📄 Report.pdf |
| Medley Finance - Decentralized Exchange on Solana | Rust, Solana | 📄 Report.pdf |
| Legion Solana - Solana second private Code4rena (Zenith) assessment | Rust, Solana | 📄 Report.pdf |
| Succinct - Succinct SP1 Zero-Knowledge Virtual Machine (zkVM) | Ethereum, ZK, Cryptography, Solidity | 📄 Report.pdf |
| Compass Wallet - Compass Wallet for Sei | TypeScript, Extension, Wallet | 📄 Report.pdf |
| Leap Wallet - Leap Cosmos Wallet | TypeScript, Extension, Wallet | 📄 Report.pdf |
| Compass Wallet - Compass Mobile Wallet for Sei | Android, iOS, Mobile Application, Wallet | 📄 Report.pdf |
| Leap Wallet - Leap Cosmos Mobile Wallet | Android, iOS, Mobile Application, Wallet | 📄 Report.pdf |
| Kinode OS - Kinode OS security & architecture review | Rust, OS, Architecture | 📄 Report.pdf |
| Eagle Finance - EagleFi XYK Pool | AssemblyScript, AMM, Massa | 📄 Report.pdf |
| Razor DEX - Decentralized Exchange contracts | MOVE, Aptos, Sui | 📄 Report.pdf |
| Wolf Game - Cave Game, ERC721 | Solidity, BLAST | 📄 Report.pdf |
| Magic Beans - Magic Beans, OTC | Solana, Rust | 📄 Report.pdf |
| Orderly Network - Asset Manager Smart Contract | Rust, NEAR | 📄 Report.pdf |
| Cascadia Foundation - Liquidity Pools (Curve fork) Contracts | Solidity, Vyper | - |
| Holoride - Holoride Ethereum <> MultiversX bridge | Rust, MultiversX/Elrond | 📄 Report.pdf |
| Uncharted - GangsterArena 5 | Solidity, BLAST, Gaming | 📄 Report.pdf |
| Tezos - Tezos Metamask Snap | TypeScript, Metamask Snap | 📄 Report.pdf |
| Polkadot - Polkadot Metamask Snap | TypeScript, Metamask Snap | 📄 Report.pdf |
| Sei - Sei Metamask Snap | TypeScript, Metamask Snap | 📄 Report.pdf |
| Uncharted - Confidential | Solidity, BLAST, Gaming | soon |
| Uncharted - Confidential | Solidity, BLAST, Gaming | soon |
| Confidential - Confidential | Solidity, MetaMorpho ERC4626 Vaults | soon |
Audits in a team
| Protocol | Type | Report |
|---|---|---|
| Unhosted Wallet - Unhosted Wallet Extension Core & Backend Services | TypeScript, Extension, Wallet | 📄 Report.pdf |
| Aave - Aave on Aptos Core v3.0.2 | MOVE, Aptos, Aave v3 | 📄 Report.pdf |
| Aave - Aave on Aptos Core v3.1-3.3 | MOVE, Aptos, Aave v3 | 📄 Report.pdf |
| Aave - Aave on Aptos Periphery | MOVE, Aptos, Aave v3, Periphery | 📄 Report.pdf |
| Hydration - Hydration Peg Drift Stableswap | Rust, Substrate, Polkadot | 📄 Report.pdf |
| SelfChain - SelfChain Cosmos SDK modules | Golang, Cosmos SDK | 📄 Report.pdf |
| Shogun Bot - Shogun Telegram Bot Application | TypeScript, Telegram, Wallet | 📄 Report.pdf |
| Landslide Network - Slide SDK, AvalancheGo Custom VM | Golang, Cosmos, Avalanche, VM | 📄 Report.pdf |
| THORChain - Validator-scheduled Standard Cosmos Hard Fork | Golang, Cosmos SDK | 📄 Report.pdf |
| Dusa - Dusa AMM | AssemblyScript, AMM, Massa | 📄 Report.pdf |
| HadronLabs - Drop Initia Liquidity Provider | MOVE, MoveVM, CosmosSDK, Initia | 📄 Report.pdf |
| Amulet - Amulet Neutron PoS Stretegy | Rust, CosmWasm | 📄 Report.pdf |
| Archisinal - Archisinal Marketplace | Rust, NFT, Ink!, Polkadot | 📄 Report.pdf |
| Zeitgeist - Zeitgeist Combinatorial Betting and Futarchy | Rust, Substrate, Polkadot | 📄 Report.pdf |
| Jellyverse - Jellyverse Staking, Vesting, Governance, ERC20 | Solidity, ERC20 | 📄 Report.pdf |
| Astroport - Astroport vxASTRO | Rust, CosmWasm | 📄 Report.pdf |
| Manifest - Custom CosmosSDK implementation | Golang, Cosmos SDK | 📄 Report.pdf |
| Manifest - Token Factory Module | Golang, Cosmos SDK | 📄 Report.pdf |
| Manifest - POA Module | Golang, Cosmos SDK | 📄 Report.pdf |
| Manifest - Ledger Chain | Golang, Cosmos SDK | 📄 Report.pdf |
| Glue - EVM SC & L1 Relay chains | Rust, Substrate, Polkadot | 📄 Report.pdf |
| 5ire - Substrate Runtime and Pallets | Rust, Substrate, Polkadot | 📄 Report.pdf |
| Astroport - Astroport Fee Sharing | Rust, CosmWasm | 📄 Report.pdf |
| Layer Zero - Layer Zero V2 | Solana, Anchor, Rust | 📄 Report.pdf |
| Mysten Labs - Sui - Adapter & Verifier | MOVE, L1, Sui | 📄 Report.pdf |
| Volo Sui - VOLO Liquid Staking | MOVE, Sui | 📄 Report.pdf |
| Satay Finance - Satay Aptos | MOVE, Aptos | 📄 Report.pdf |
| Bifrost - Laverage Staking | Rust, Substrate | 📄 Report.pdf |
| Starlay Finance - Starlay Protocol WASM | Rust, ink! | 📄 Report.pdf |
| Ociswap - Scrypto AVL Tree Implementation | Rust, Scrypto, AVL Tree, Radix DLT | 📄 Report.pdf |
| Ociswap - Scrypto Math | Rust, Scrypto, Radix DLT | 📄 Report.pdf |
| Ociswap - Scrypto Precision Pool | Rust, Scrypto, Radix DLT | 📄 Report.pdf |
| Ociswap - Scrypto Flex Pool | Rust, Scrypto, Radix DLT | 📄 Report.pdf |
| Ociswap - Scrypto Oracle | Rust, Scrypto, Radix DLT | 📄 Report.pdf |
| Hyperlane - cw-hyperlane | Rust, CosmWasm | 📄 Report.pdf |
| Asteroid - Asteroid Bridge | CFT-20, Rust, CosmWasm | 📄 Report.pdf |
| Dexlyn - Hyperlane on Aptos | Supra, MOVE, Bridge | 📄 Report.pdf |
| Zesh AI Layer - SUI coin | Sui, MOVE | 📄 Report.pdf |
| SUI Agents - SUI coin & ERC20 | Sui, Ethereum, MOVE, Solidity, ERC20 | 📄 Report.pdf |
| Astroport - Tokenfactory LP Tokens | Rust, CosmWasm | 📄 Report.pdf |
| Stader Labs - SD Token Staking | Rust, CosmWasm | 📄 Report.pdf |
| Astroport Concentrated Liq Pool - Injective Orderbook Integration | Rust, CosmWasm | 📄 Report.pdf |
| Astroport - Astral Assembly contracts | Rust, CosmWasm | 📄 Report.pdf |
| Astroport - Concentrated Liquidity Pool | Rust, CosmWasm | 📄 Report.pdf |
| Astroport - Astroport on Osmosis | Rust, CosmWasm | 📄 Report.pdf |
| Brokkr Protocol - Delta Neutral | Rust, CosmWasm | 📄 Report.pdf |
| Brokkr Protocol - Long Term Bonding | Rust, CosmWasm | 📄 Report.pdf |
| Gable Finance - Gable Liquidity Market, Staking | Rust, Scrypto, Radix DLT | 📄 Report.pdf |
| Osmosis Labs - Osmosis Transmuter | Rust, CosmWasm | 📄 Report.pdf |
| Stargaze - Reserve Auctions | Rust, CosmWasm | 📄 Report.pdf |
| Stargaze - Infinity Pool | Rust, CosmWasm | 📄 Report.pdf |
| Calculated Finance - Contracts | Rust, CosmWasm | 📄 Report.pdf |
| Hadron Labs - Lido Satellite | Rust, CosmWasm | 📄 Report.pdf |
| Snowfork - SSZ serialization library - Rust | Rust, library | 📄 Report.pdf |
| Membrane - Contracts | Rust, CosmWasm | 📄 Report.pdf |
| Coinhall - Genie | Rust, CosmWasm | 📄 Report.pdf |
| Snowbridge - Ethereum <=> Polkadot bridge | Rust, Solidity, Polkadot, Ethereum | 📄 Report.pdf |
| Snowbridge - Extension, Ethereum <=> Polkadot bridge | Rust, Solidity, Polkadot, Ethereum | 📄 Report.pdf |
| Snowbridge - Updates, Ethereum <=> Polkadot bridge | Rust, Solidity, Polkadot, Ethereum | 📄 Report.pdf |
| Snowbridge - Updates 2, Ethereum <=> Polkadot bridge | Rust, Solidity, Polkadot, Ethereum | 📄 Report.pdf |
| Snowbridge - Updates 3, Ethereum <=> Polkadot bridge | Rust, Solidity, Polkadot, Ethereum | 📄 Report.pdf |
| Snowbridge - Updates 4, Ethereum <=> Polkadot bridge | Rust, Solidity, Polkadot, Ethereum | 📄 Report.pdf |
| Ixo World - IXO Swap | Rust, CosmWasm | 📄 Report.pdf |
| Ninja Blaze - Ninja Blaze Double | Rust, CosmWasm | 📄 Report.pdf |
| Osmosis Labs - Osmosis Transmuter v3 | Rust, CosmWasm | 📄 Report.pdf |
| Astroport - Astroport Hub Neutron Migration | Rust, CosmWasm | 📄 Report.pdf |
| Yieldmos - Outpost Osmosis | Rust, CosmWasm | 📄 Report.pdf |
Certificates
- Offensive Security Certified Expert (OSCE) - Offensive Security OSCE proof
- Offensive Security Certified Professional (OSCP) - Offensive Security OSCP proof
- Lead ISO27001 Auditor - Information Security Management Systems (ISMS) Auditor/Lead Auditor (BS ISO/IEC 27001:2013)
0 day vulnerabilities found which were assigned CVE numbers - mostly web applications
- CVE-2019-10070 - Apache Atlas, Stored Cross Site Scripting
- CVE-2020-6856 - JOC Cockpit, Jobscheduler, XML External Entity
- CVE-2020-6854 - JOC Cockpit, Jobscheduler, Multiple Stored Cross Site Scripting
- CVE-2020-6855 - JOC Cockpit, Jobscheduler, Denial of Service
- CVE-2021-3584 - Foreman, Authenticated Remote Code Execution via Sendmail configuration