Security Engineer

About The Position

Requirements

• Track record of finding real vulnerabilities - public audit reports, CVEs, bug bounty wins, original security research, or notable CTF results
• Strong code-level security skills: you can read a Move module or a Solidity codebase and instinctively spot the dangerous path
• Deep understanding of at least one smart contract VM (Move, EVM, SVM) and the classes of bugs each enables
• Comfort writing real code (Move, Solidity, Rust, Python) to build security tooling - not just consume it
• Strong understanding of: Smart contract vulnerability classes: access control, reentrancy and Move-equivalents, oracle manipulation, MEV, signature replay, arithmetic edge cases, upgrade hazards
• Strong understanding of: Consensus security and BFT failure modes
• Strong understanding of: Cryptographic primitives (signatures, hashes, ZK basics) and where they go wrong in practice
• Strong understanding of: Bridge and cross-chain security
• Adversarial mindset: you assume the protocol will be attacked by sophisticated, well-funded adversaries on day one
• Bias toward tooling and automation: find one bug manually, then write the tool that finds the next ten

Nice To Haves

• Experience auditing or building Move smart contracts (Aptos, Sui, or similar)
• Experience with formal verification - Move Prover, Certora, K Framework, Coq, Lean, or similar
• Experience with fuzzing and invariant testing frameworks (Echidna, Foundry, Medusa, libFuzzer, AFL)
• Prior experience at a top audit firm (Trail of Bits, OpenZeppelin, ChainSecurity, Spearbit, Cantina, Zellic, Sigma Prime) or in-house security at a major L1/L2
• Familiarity with EVM internals, Solidity, or Rust-based VMs (CosmWasm, Solana programs)
• Published security research, conference talks, or significant open-source security tooling
• Experience running or contributing to bug bounty programs at scale (Immunefi, HackerOne, Cantina)
• Experience with incident response, on-call rotations, and disclosure coordination under pressure

Responsibilities

• Audit Move modules, protocol code (Solidity, Rust), and consensus/networking layers for vulnerabilities before they ship
• Design and build security tooling: fuzzers, invariant tests, static analyzers, formal specifications, and runtime monitoring
• Drive formal verification efforts using the Move Prover; write specifications for critical modules (token, staking, governance, bridge)
• Threat-model the protocol end-to-end - consensus, execution, data availability, bridges, RPC, validator infrastructure
• Use AI adequately to scale code review, vulnerability triage, and exploit-pattern detection across the codebase
• Own the bug bounty program and triage external reports; turn findings into engineering fixes and regression tests
• Lead security incident response, root cause analysis, post-mortems, and disclosure coordination
• Partner with engineering teams to shift security left: secure-by-default APIs, code review standards, threat models attached to every design doc
• Engage with the external security community - auditors, researchers, white-hats - and contribute back to the Move ecosystem
• Stay ahead of the threat landscape: bridge exploits, MEV, signature malleability, oracle manipulation, governance attacks, validator collusion

Benefits

• Competitive compensation with meaningful upside