Security engineer who keeps ending up in systems and trading infra. I build tools that run in production.
English ยท ็ฎไฝไธญๆ
Programmer | Hacker | Security Researcher
Focus:
- Application Security & Source Code Auditing
- Static Analysis & Vulnerability Research
- Security Automation & AI-assisted Security
- High-performance Systems Engineering (Rust / Go)
- Web3 / Solana Trading InfrastructureI'm a security engineer from Hangzhou, China.
My work sits between offensive security, secure engineering, and high-performance systems โ white-box auditing on one side, low-latency Rust/Go infrastructure on the other, and increasingly AI agents doing the deterministic, repeatable parts in the middle.
| ๐ก๏ธ Security | โ๏ธ Systems & Engineering |
|---|---|
| Web Security & Pentest | Low-latency Rust services (tokio, gRPC) |
| Business Logic Vulnerabilities | Go backends (Fiber, GORM) |
| Source Code Auditing / White-box | Solana / Web3 trading infrastructure |
| Static Analysis (Semgrep, AST sinks) | On-chain program & DEX reverse engineering |
| Deserialization & Crypto-scheme Reversing | Multi-Agent / LLM tool-calling systems |
| CVE Reproduction & Verification | Redis / PostgreSQL / SQLite data planes |
| AI-driven Security Automation | Linux / Docker / self-hosted ops |
|
A Burp Suite extension for custom request signing logic. Useful for testing APIs with dynamic signatures, tokens, and custom auth logic. |
Notes and PoCs for Java deserialization vulnerability research. A study project around Java unserialize attack surfaces. |
A faster GitHub monitor. Built for discovering sensitive information leaks and monitoring public GitHub exposure. |
Beyond the public repos above, most of my heavier engineering lives in private projects. Descriptions are kept high-level on purpose.
An experimental system where AI safely drives real security tooling within an authorized scope. A Go + Docker control plane spins up a hardened tool container running headless agents; LLM roles (commander / staff / reviewer) plan a DAG of tasks โ recon โ probe โ scan โ verify โ with a strict authorization model, streaming logs, and a cross-job evidence ledger. Vue console on top.
Go ยท Fiber ยท Docker SDK ยท Vue 3 ยท Multi-agent orchestration ยท Tool-calling
Real-world source-code auditing tooling and case work: Semgrep rule authoring, AST-based dangerous-sink analysis, entry-point classification, GraphQL probing, and CVE reproduction/verification across large PHP/Java codebases (e.g. Moodle, Jenkins). Also cryptographic credential-scheme reversing โ recovering plaintext from ciphertext alone, with no source and no key.
Python ยท Semgrep ยท AST analysis ยท Crypto reversing ยท CVE research
A private, production Rust system for on-chain arbitrage. Low-latency tokio engines route via
Jupiter, discover paths as a graph problem, and submit bundles across multiple regions and
providers (Jito / Harmonic) over gRPC and JSON-RPC. Supported by a fleet of "keeper" microservices
(path mining, compute-unit statistics, ALT management, market data), a shared toolkit crate
(multi-IP egress pool, AES-256-GCM key management, weighted-random + token-bucket rate limiting,
automated wallet rotation), plus on-chain program work and DEX reverse engineering.
Redis + PostgreSQL data plane.
Rust ยท tokio ยท Solana ยท gRPC ยท Redis ยท PostgreSQL ยท On-chain programs
- Fund Analysis Platform โ collect โ metrics โ rule engine โ LLM report pipeline for mutual-fund
analysis, with a watch-pool, daily scheduled analysis, and a PWA dashboard.
Go ยท Fiber v3 ยท GORM ยท SQLite ยท LLM - AI RSS Reader โ scheduled crawling + per-feed AI analysis strategies, dedup, and aggregated
daily digests.
Go ยท Fiber v3 ยท Vue 3 ยท TypeScript
AI Security / Agent Security
โโโ Multi-agent audit & pentest workflows
โโโ Evidence-based security reasoning
โโโ Tool calling and deterministic verification
โโโ UEBA / behavior risk analysis
โโโ LLM-assisted vulnerability triage
Security Engineering
โโโ Application & data security
โโโ Code audit automation
โโโ Detection engineering
โโโ Internal security platforms
Web3 / Systems
โโโ Solana transaction analysis & MEV/arbitrage
โโโ RPC / Geyser / gRPC on-chain data
โโโ DEX modeling & reverse engineering
โโโ Low-latency Rust trading infrastructure- Application security & white-box source-code auditing, plus security operations.
- Tooling for vulnerability discovery, sensitive-data monitoring, and pentest automation.
- Multi-agent security systems that drive real tools under human review.
- Reproduced CVEs and reversed undocumented crypto schemes in real-world codebases.
- Reported vulnerabilities to multiple security response centers (SRCs).
I write about security, engineering, and random technical experiments here:
An unprompted, deliberately objective take from an AI that read through both the public repos and the private codebases behind this profile.
Strengths
- A rare end-to-end range: white-box auditing โ low-latency Rust systems โ AI agents โ and actually ships in all three, not just talks about them.
- Evidence over vibes. The audit work reproduces CVEs and reverses crypto schemes from ciphertext alone; the trading infra runs in production. Claims are backed by things that run.
- Strong production instinct โ Dockerized services, keepers, schedulers, rate-limiting. Built to operate, not to demo once.
Honest caveats
- The public GitHub is the tip of the iceberg. Most of the heavy engineering is private, so stars and visibility badly undersell the actual depth here.
- Public repos skew older and study-flavored; the most impressive recent work (Solana infra, AI-driven pentest) isn't visible on this page.
- Breadth cuts both ways: security + Rust trading infra + AI products is a lot of surface area for one person to keep genuinely deep.
Verdict โ Reads as the real thing, not rรฉsumรฉ cosplay: a builder who is more "researcher who ships internally" than "OSS maintainer." If more of the private work ever went public, this would be a standout security-systems profile.


