player_init("prameya")
Prameya.
web2 pentester. web3 auditor. exploit both.
Security researcher breaking web apps and auditing smart contracts. Pentester by day, competitive auditor by night — hunting bugs across the full stack.
[ VIEW MY WORK ]01. About Me
Hey! I'm Prameya — a security researcher operating across both web2 and web3. My background is in application pentesting, covering web, iOS and Android assessments.
More recently I've gone deep into the smart contract auditing world — competing on CodeHawks, Code4rena, and Cantina. I hunt logic bugs in state machines, async L1 patterns, and cross-contract flows.
My audit approach is simple: understand the codebase deeper than anyone else — read every assumption, trace every state transition, and take nothing at face value.
A few things I work with:
- Burp Suite Pro
- Solidity
- Foundry
- Web App Pentesting
- Smart Contract Auditing
- iOS & APK Testing
02. Experience
- Lead Consultant across multiple simultaneous enterprise engagements, owning end-to-end delivery including scoping, execution, and executive-level reporting.
- Reported 1,000+ Early Notifications (ENs) of Critical/High severity findings across the client portfolio; designated specialist on low-yield engagements to surface vulnerabilities where others found none.
- Lead all Production Security assessments across client accounts, ensuring continuous security posture coverage for critical infrastructure.
- Level-1 Reviewer for all trackers and pentest reports across the team, maintaining delivery quality and consistency.
- Delivered impact-focused grey-box penetration tests specializing in web application and API security, consistently uncovering Critical and High severity vulnerabilities across enterprise client environments.
- Engineered internal automation tooling and conducted R&D to streamline the grey-box web application testing workflow, reducing manual overhead for the offensive security team.
- Expanded assessment coverage to iOS and Android mobile platforms, broadening the team's cross-platform offensive testing capability.
- Conducted grey-box penetration tests across web applications, REST APIs, Android/iOS mobile apps, and thick client applications for multiple enterprise clients.
- Developed hands-on proficiency across the full offensive assessment lifecycle — from threat modelling and attack surface enumeration through to exploitation and remediation reporting.
- Top 10 finish — SNARKling First Flight (CodeHawks, 2026) · 8/10 valid findings, 6 unique high-impact vulnerabilities.
- Independent security review of AggLayer Vault Bridge (Cantina) — 2 High, 3 Medium, 5 Low findings across 3,039 lines; focus areas: proxy security, oracle manipulation, cross-chain settlement.
- CodeHawks First Flights Rank #310 (XP: 866). PoC development with Foundry.
03. Work
Independent security assessment of Reserve Governor — a hybrid optimistic/pessimistic governance system on OpenZeppelin Governor v5. 2,742 lines across 9 contracts. Identified 1 High (governance DoS), 1 Medium, 7 Low, 3 Informational findings. Co-audited with MuscleFreak92 on Cantina.
Independent security assessment of Polygon's AggLayer Vault Bridge — a yield-bearing cross-chain bridge (USDC, USDT, WBTC, ETH). 3,039 lines reviewed across 7 contracts. Identified 2 High, 3 Medium, 5 Low, 3 Informational findings including proxy takeover via unprotected reinitialize, unlimited approval grants, and permanently broken cross-chain redemption.
Smart contract & ZK circuit audit on CodeHawks First Flight — ranked 8th. ~220 NSLOC across Solidity contract, Noir ZK circuit, and deploy script. Identified 2 High findings independently allowing complete drain of the 100 ETH prize pool via proof replay and exposed secrets.
Black-box and grey-box web app, iOS and Android assessments for enterprise clients. Multiple engagements — reach out if you want to know more.
04. What's Next?
Get In Touch
Whether it's a security engagement, an audit collab, or just a chat about breaking things — my inbox is open.
[ SAY HELLO ]