kuprum
LSW@Sherlock | Top-20@Cantina | Specializing on L1/L2/Cross-chain: Cosmos / EVM / IBC | Expertise in testing & formal verification
Programming Languages
Expertise & Skills
Portfolio & Experience
Detailed audit history and technical expertise
Kuprum's Audits
I am kuprum, an experienced Web3 security researcher with main areas of expertise being L1 (EVM & Cosmos SDK chains), cross-chain communication (IBC / Bridges), complex infrastructure projects. Currently an independent security researcher. Previously worked at various companies, including being a Lead auditor in a Web3 security company, also have experience in Web2 security, secirity architectures, testing, and verification.
Like copper (Cuprum in Latin) — probably the most versatile, essential, and reliable metal we have today — I am going to bring a lot for the success and security of your project. In my audits I deliver you the highest quiality work, and also tend to find severe but hard/rare bugs that most others miss. I strive to both understand the broadest context of a project, it's security architecture and assumptions, and to go to the deepest bit level to find where the security assumptions may be violated. Please feel free to browse my portfolio below, and also at audits.sherlock.xyz/watson/kuprum or cantina.xyz/u/kuprum.
To book a solo audit with me send a DM via x/kuprumxyz or t.me/kuprumxyz. You can also engage me for a team audit via Sherlock, the leading security provider, with whom I am closely collaborating.
Audit porfolio
| Begin / Duration | Project | Category | Language / Framework | Provider |
|---|---|---|---|---|
| 2025-05 / 5 weeks | Cosmos EVM audit | Cosmos L1, Cross-chain | Cosmos SDK / EVM / Go / Solidity | Sherlock |
Notable findings
| ||||
| 2025-03 / 2 weeks | Lombard IBC V2 Integration audit | Cosmos L1, Cross-chain, Bitcoin staking | Cosmos SDK / CosmWasm / Go / Rust / Solidity | Sherlock |
| The report is not yet public | ||||
| 2025-02 / 3 weeks | IBC V2 (Eureka) audit | Cross-chain | Cosmos SDK / Go / Solidity | Sherlock |
Notable findings
| ||||
| 2024-12 / 4 weeks | 14th in Story Protocol competition | Cosmos/Geth L1, BFT Consensus | Cosmos SDK / EVM / Go / Solidity | Cantina |
| 2024-10 / 3 weeks | 5th in Omni Network competition | Cosmos/Geth L1, BFT Consensus | Cosmos SDK / EVM / Go / Solidity | Cantina |
| 2024-10 / 1 week | 🥈in Predict.Fun contest | Lending, Prediction market | Solidity | Sherlock |
| 2024-09 / 2 weeks | 🥇in Flayer contest | NFTs, Uniswap V4 | Solidity | Sherlock |
| 2024-08 / 2 weeks | 🥉in Phi competition | Cross-chain, Identity management | Solidity | Code4rena |
| 2024-08 / 0.5 weeks | 4th in Winnables Raffles contest | Cross-chain | Solidity / Chainlink VRF & CCIP | Sherlock |
Notable findings | ||||
| 2024-07 / 2 weeks | 9th in Optimism Superchain competition | L1/L2, Cross-chain, Dispute games | Optimism / Solidity | Code4rena |
| 2024-03 / 0.5 weeks | 🥉 in RadicalxChange contest | Auctions | Solidity | Sherlock |
| 2024-02 / 2 weeks | 🥇 in UniStaker Infrastructure competition (team CodeWasp) | Staking, Governance | Solidity | Code4rena |
Notable findings |
Judging experience
I've had a single judging experience so far, namely judging the Mightly competition at Cantina. It was a challenge in many respects: many findings (1344), many AI-generated submissions, and difficulties of communications with the sponsor, to name a few. I am very proud that together with my fellow judge Jiri123 we've been able to judge it with record-breaking speed, efficiency, and communication transparency. Our judging has attracted numerous praise from fellow SRs, see e.g. this and this posts on X, and also the below screenshots from Discord:
Screenhot 1 (click to show)
Screenhot 2 (click to show)
Formal methods, Web2 security & other relevant experience
Over the course of my pre-Web3 security career I've collected a number of experiences that are very useful in my current work:
- I have done a PhD in formal verification, namely in verification of concurrent programs. I've worked with a number of model checkers, and developed my own, original approach to model checking, as well as a number of model checking tools.
- Why is this relevant: when I look at the code, a kind of a built-in model checker runs in my head. I am constantly asking myself the "what if" and "where/who else" questions, i.e. do what a highly specialized model checker would do, combined with all power of human expertise.
- Besides that I of course understand well both the whole potential, but also all limitations of formal methods: state explosion is not empty words for me; I've been combatting it for a number of years. I can provide you a professional consultation on organizing testing & verification for your project.
- I have worked in Web2 security before:
- Studied cryptography & security
- Developed commercial security software (e.g. a cloud-based firewall)
- Taught an application security course at a university
- Why is this relevant: Security is security no matter whether it's Web2 or Web3. It's the same kind of mindset, the same approaches. I can directly transfer many of my experiences in Web2 security into the Web3 space.
- I have worked as a developer in a number of companies over a number of years; worked mainly with such languages as C++, Haskell, Ocaml, Python, Rust. Also was leading small dev teams over the course of my career.
- Why is this relevant: I know all technicalities of being a developer, know the "bread and butter" of the profession.
- I can speak developer's language: I can communicate seamlessly and effeciently, without there being an SR/developer barrier.