BhargavaShastry
Security Engineer at the Ethereum Foundation & Independent Security Researcher
01 — About
About Me
Security Engineer & Researcher
I'm a security engineer at the Ethereum Foundation and an independent security researcher with a deep passion for blockchain technology and smart contract security. My work focuses on identifying vulnerabilities, developing security tools, and contributing to the overall security posture of decentralized systems.
With over 300 commits to the Solidity compiler and contributions to numerous critical projects, I've been at the forefront of blockchain security research. My expertise spans fuzzing, static analysis, protocol security, and vulnerability discovery.
I believe in the power of open-source collaboration and have contributed to projects like Google's OSS-Fuzz, various Ethereum clients, and developed specialized security tools that are used by the broader blockchain community.
Core Expertise
- Smart Contract Security
- Fuzzing & Testing
- Protocol Security
- Static Analysis
- Vulnerability Research
- Open Source Development
By the numbers
- Years of Experience
- 8+
- Open Source Projects
- 20+
- Security Vulnerabilities Found
- 50+
- Community Contributions
- 1000+
Technologies & Tools
02 — RESEARCH
Security Research
Building tools and techniques to find vulnerabilities before attackers do
Ethereum Protocol Security
2019 - PresentDifferential fuzzing and testing tools for validating EIP implementations and consensus-critical code across Ethereum execution layer clients.
- Built differential fuzzers for EIP-7702 (account abstraction) across geth, Nethermind, and Besu
- Developed PrecompileFuzzer for testing EVM precompile implementations targeting the Prague hard fork
- Created EthFuzzNet, an Ethereum network resilience testing framework
- 33 commits to goevmlab for EVM trace analysis and test generation
Compiler Security
2018 - PresentCore contributor to the Solidity compiler's testing infrastructure, with 300+ commits focused on fuzzing and correctness testing.
- 303 commits to the Solidity compiler, primarily in fuzzing and testing
- Built ABI encoder v2 differential fuzzer
- Discovered and reported numerous compiler correctness bugs through structure-aware fuzzing
P2P & Networking Security
2018 - 2022Security testing of peer-to-peer networking stacks used in Ethereum consensus and execution clients.
- Fuzzed libp2p (Rust implementation) for protocol-level vulnerabilities
- Built mplex-dos stress testing tool for libp2p multiplexing
- Contributed yamux stream multiplexer security patches
- Security research on Prysm (Ethereum consensus client)
Fuzzing Infrastructure
2017 - 2020Tools and frameworks for automated vulnerability discovery, contributed to Google's OSS-Fuzz and built standalone fuzzing frameworks.
- Built orthrus, a fuzzing framework for managing parallel fuzz campaigns (216 commits)
- 69 commits to Google's OSS-Fuzz continuous fuzzing platform
- Developed custom protocol-buffer based mutation strategies for structure-aware fuzzing
Application Security
2017 - 2021Fuzzing open-source networking and language runtime software to find and fix memory safety and logic bugs.
- Fuzzed Open vSwitch (16 commits) — found packet parsing vulnerabilities
- Contributed to OVN (16 commits) — virtual network security testing
- Built mruby proto fuzzer using structure-aware fuzzing techniques
- Discovered and reported Boost Filesystem crash bugs
ERC-4337 / Account Abstraction
2023 - 2024Testing and compliance infrastructure for Ethereum's account abstraction ecosystem.
- Built bundler test executor for ERC-4337 compliance testing
- Contributed to Holesky funding vault smart contract infrastructure
03 — Talks
Talks
Conference presentations and invited talks on fuzzing, compiler security, and vulnerability research
Fuzzing the Solidity Compiler
Fuzzing the Solidity Compiler
Can A Fuzzer Match A Human: Solidity Case Study
Open Discussion on Solidity Fuzzing
Vulnerability Search Problem and Methods
04 — Publications
Publications
Peer-reviewed research in security, fuzzing, and program analysis
Ph.D. — TU Berlin
Follow the White Rabbit: Simplifying Fuzz Testing Using FuzzExMachina
V. Ulitzsch, D. Maier, B. Shastry
Black Hat 2018
Taking Control of SDN-based Cloud Systems via the Data Plane
K. Thimmaraju, B. Shastry, T. Fiebig, F. Hetzelt, J.P. Seifert, A. Feldmann, S. Schmid
Symposium on SDN Research 2018
The vAMP Attack: Taking Control of Cloud Systems via the Unified Packet Parser
K. Thimmaraju, B. Shastry, T. Fiebig, F. Hetzelt, J.P. Seifert, A. Feldmann, S. Schmid
Cloud Computing Security Workshop 2017
Static Program Analysis as a Fuzzing Aid
B. Shastry, M. Leutner, T. Fiebig, K. Thimmaraju, F. Yamaguchi, K. Rieck, S. Schmid, J.P. Seifert, A. Feldmann
RAID 2017
Static exploration of taint-style vulnerabilities found by fuzzing
B. Shastry, F. Maggi, F. Yamaguchi, K. Rieck, J.P. Seifert
USENIX WOOT 2017
Leveraging flawed tutorials for seeding large-scale web vulnerability discovery
T. Unruh, B. Shastry, M. Skoruppa, F. Maggi, K. Rieck, J.P. Seifert, F. Yamaguchi
USENIX WOOT 2017
Towards Vulnerability Discovery Using Staged Program Analysis
B. Shastry, F. Yamaguchi, K. Rieck, J.P. Seifert
DIMVA 2016
A First Look at Firefox OS Security
D. Defreez, B. Shastry, H. Chen, J.P. Seifert
MoST 2014
Fraunhofer Secure IT
Towards Taming Privilege-Escalation Attacks on Android
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.R. Sadeghi, B. Shastry
NDSS 2012
Practical and lightweight domain isolation on android
S. Bugiel, L. Davi, A. Dmitrienko, S. Heuser, A.R. Sadeghi, B. Shastry
ACM SPSM 2011