BhargavaShastry

Security Engineer at the Ethereum Foundation & Independent Security Researcher

10+years
20+projects
50+vulnerabilities
1000+contributions

01 — About

About Me

Security Engineer & Researcher

I'm a security engineer at the Ethereum Foundation working on protocol security for the execution layer. My day-to-day is differential fuzzing of Ethereum clients, hard-fork readiness testing, and technical evaluation of submissions to the Ethereum Foundation's bug bounty program.

I came to Ethereum through compiler security — 300+ commits to the Solidity compiler's fuzzing and testing infrastructure — and before that a Ph.D. on fuzzing and static analysis at TU Berlin. That background in oracle-driven testing shapes my client work today: if two independent implementations disagree, at least one of them is wrong.

I work in the open where I can: upstream fixes merged in Erigon, Nethermind, revm, and the executable Ethereum specs, contributions to Google's OSS-Fuzz, and a blog about differential testing — most recently cross-checking post-quantum cryptography implementations against each other.

Core Expertise

  • Differential Fuzzing
  • Ethereum Protocol Security
  • Bug Bounty Triage
  • Vulnerability Research
  • Post-Quantum Cryptography
  • AI-Assisted Security Tooling

By the numbers

Years of Experience
10+
Open Source Projects
20+
Security Vulnerabilities Found
50+
Community Contributions
1000+

Technologies & Tools

GoRustC++PythonSolidityEthereumEVMgoevmlablibFuzzercargo-fuzzAFLFoundryDockerLLM Agents

02 — RESEARCH

Security Research

Building tools and techniques to find vulnerabilities before attackers do

01

Ethereum Protocol Security

2022 - Present
19 private repos

Differential fuzzing and hard-fork readiness testing across Ethereum execution clients — finding consensus divergences before they reach mainnet.

  • Coverage-guided differential fuzzing of state-test execution across geth, Besu, Nethermind, Erigon, and revm, built on goevmlab
  • Hard-fork readiness testing for upcoming upgrades: gas repricing, block-level access lists, and new EIP semantics validated against the executable specs
  • Upstream fixes merged in Erigon, Nethermind, revm, and ethereum/execution-specs
  • Earlier: EIP-7702 differential fuzzers across geth, Nethermind, and Besu; PrecompileFuzzer for the Prague hard fork; EthFuzzNet network-resilience testing
02

Bug Bounty Triage

2026 - Present

Technical evaluator for the Ethereum Foundation bug bounty program: reproducing, assessing, and routing reported vulnerabilities across execution- and consensus-layer clients.

  • Evaluate submissions for consensus, finality, and denial-of-service impact to assign severity
  • Reproduce reported issues and confirm cross-client blast radius with differential test harnesses
  • Built internal tooling that manages the submission-to-triage workflow end to end
03

Post-Quantum Cryptography

2026 - Present

Differential testing of post-quantum standards: cross-checking independent ML-KEM (FIPS 203) and ML-DSA (FIPS 204) implementations against each other.

  • Built a coverage-guided differential fuzzer co-linking mlkem-native, BoringSSL, and libcrux
  • Functional-equivalence and constant-time checks across implementations
  • Published a four-part blog series on the approach and results
04

AI-Assisted Vulnerability Research

2026 - Present

Agentic systems that put LLMs to work on Ethereum client security: deterministic orchestration, auditable logs, and human review at the decision points.

  • Agent frameworks that decompose vulnerability research into context building, harness generation, PoC validation, and triage
  • Autonomous audit pipelines run against Ethereum client codebases in sandboxed environments
  • LLM-assisted severity assessment integrated into the bug bounty triage workflow
PythonGo
05

Compiler Security

2018 - 2022
2 private repos

Core contributor to the Solidity compiler's testing infrastructure, with 300+ commits focused on fuzzing and correctness testing.

  • 303 commits to the Solidity compiler, primarily in fuzzing and testing
  • Built ABI encoder v2 differential fuzzer
  • Discovered and reported numerous compiler correctness bugs through structure-aware fuzzing
C++Solidity
06

P2P & Networking Security

2022 - Present
8 private repos

Security testing of peer-to-peer networking stacks used in Ethereum consensus and execution clients.

  • Security testing of Ethereum wire protocols (eth/6x, snap/1), including upstream sync-protocol fixes merged in Nethermind
  • Fuzzed libp2p (Rust implementation) for protocol-level vulnerabilities
  • Built mplex-dos stress testing tool for libp2p multiplexing
  • Contributed yamux stream multiplexer security patches
  • Security research on Prysm (Ethereum consensus client)
RustGoC++
07

Fuzzing Infrastructure

2017 - 2020
1 private repo

Tools and frameworks for automated vulnerability discovery, contributed to Google's OSS-Fuzz and built standalone fuzzing frameworks.

  • Built orthrus, a fuzzing framework for managing parallel fuzz campaigns (216 commits)
  • 69 commits to Google's OSS-Fuzz continuous fuzzing platform
  • Developed custom protocol-buffer based mutation strategies for structure-aware fuzzing
08

Application Security

2017 - 2021

Fuzzing open-source networking and language runtime software to find and fix memory safety and logic bugs.

  • Fuzzed Open vSwitch (16 commits) — found packet parsing vulnerabilities
  • Contributed to OVN (16 commits) — virtual network security testing
  • Built mruby proto fuzzer using structure-aware fuzzing techniques
  • Discovered and reported Boost Filesystem crash bugs
CC++Ruby
09

ERC-4337 / Account Abstraction

2023 - 2024

Testing and compliance infrastructure for Ethereum's account abstraction ecosystem.

  • Built bundler test executor for ERC-4337 compliance testing
  • Contributed to Holesky funding vault smart contract infrastructure
GoSolidity

03 — Talks

Talks

Conference presentations and invited talks on fuzzing, compiler security, and vulnerability research

Trust No Single Witness: Differential Fuzzing & Bug-Bounty Triage for Ethereum Clients

Berlin Ethereum Day, 2026Berlin

Fuzzing the Solidity Compiler

Devcon 5, 2019Osaka

Fuzzing the Solidity Compiler

EthCC 3, 2020Paris

Fuzzing the Solidity Compiler

FuzzCon EU, 2020Europe

Can A Fuzzer Match A Human: Solidity Case Study

Ethereum Foundation, 2020

Open Discussion on Solidity Fuzzing

Ethereum Meetup, 2019Berlin

Vulnerability Search Problem and Methods

TU Berlin (Invited Talk), 2019Berlin

04 — Publications

Publications

Peer-reviewed research in security, fuzzing, and program analysis

Ph.D. — TU Berlin

Follow the White Rabbit: Simplifying Fuzz Testing Using FuzzExMachina

V. Ulitzsch, D. Maier, B. Shastry

Black Hat 2018

Taking Control of SDN-based Cloud Systems via the Data Plane

K. Thimmaraju, B. Shastry, T. Fiebig, F. Hetzelt, J.P. Seifert, A. Feldmann, S. Schmid

Symposium on SDN Research 2018

Best Paper Award

The vAMP Attack: Taking Control of Cloud Systems via the Unified Packet Parser

K. Thimmaraju, B. Shastry, T. Fiebig, F. Hetzelt, J.P. Seifert, A. Feldmann, S. Schmid

Cloud Computing Security Workshop 2017

Static Program Analysis as a Fuzzing Aid

B. Shastry, M. Leutner, T. Fiebig, K. Thimmaraju, F. Yamaguchi, K. Rieck, S. Schmid, J.P. Seifert, A. Feldmann

RAID 2017

Static exploration of taint-style vulnerabilities found by fuzzing

B. Shastry, F. Maggi, F. Yamaguchi, K. Rieck, J.P. Seifert

USENIX WOOT 2017

Leveraging flawed tutorials for seeding large-scale web vulnerability discovery

T. Unruh, B. Shastry, M. Skoruppa, F. Maggi, K. Rieck, J.P. Seifert, F. Yamaguchi

USENIX WOOT 2017

Towards Vulnerability Discovery Using Staged Program Analysis

B. Shastry, F. Yamaguchi, K. Rieck, J.P. Seifert

DIMVA 2016

A First Look at Firefox OS Security

D. Defreez, B. Shastry, H. Chen, J.P. Seifert

MoST 2014

Fraunhofer Secure IT

Towards Taming Privilege-Escalation Attacks on Android

S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.R. Sadeghi, B. Shastry

NDSS 2012

Practical and lightweight domain isolation on android

S. Bugiel, L. Davi, A. Dmitrienko, S. Heuser, A.R. Sadeghi, B. Shastry

ACM SPSM 2011