Nat Chin

Hello! I'm 0xicingdeath. I'm a blockchain security engineer with expertise in smart contract security, invariant development, and comprehensive security reviews. I specialize in helping protocols build robust security foundations through a combination of manual review, automated testing, and strategic guidance.

I am currently open to development opportunities, security review contracts, and engagements through Spearbit. During my four-year tenure at Trail of Bits, I advanced to the role of senior security engineer, where I led a team of two direct reports while conducting manual security reviews, fuzzing, and delivering conference presentations.

My expertise lies in invariant identification, development guidance, and comprehensive testing suite development. This technical foundation, combined with extensive manual review experience, has enabled me to bridge the gap between development and security research effectively. In my security reviews, I proactively assist clients in identifying invariants, which serves as a strategic foundation for manual review. This collaborative approach often leads to deeper codebase analysis and can uncover vulnerabilities during initial codebase discussions.

Core Skills & Expertise

  • Smart Contract Security: Deep understanding of Solidity, EVM internals, and common vulnerability patterns
  • Security Tools & Automation: Expert in fuzzing, static analysis, and custom security tool development
  • Protocol Design: Experience with DeFi protocols, NFT marketplaces, and L2 scaling solutions
  • Technical Leadership: Team management and mentorship experience
  • Public Speaking: Regular conference speaker and educator in blockchain security
  • Research & Development: Published research in blockchain security and tool development

Technical Experience

My extensive experience with smart contracts and ethereum has given me ample opportunity to understand defi protocols, NFT marketplaces, and scaling solutions. While much of my work is not public, I share public knowledge whenever possible. Some of my highlights can be found below:

Security Review Reports

  • Defi Wonderland - A bridged USDC standard for the OP stack, with a focus on Optimism-related risks
  • Tradable Onchain V2 - Allows lending asset managers to tokenize their strategies for institutional assets
  • Bera Bex - Berachain's native DEX implemented as a fork of Balancer
  • EasyCrypto - An implementation of a USDC-like stablecoin with controlled minting, burning, and pausing operations
  • Scroll L2 Geth Diff Review - A diff review of go-ethereum
  • Myso Finance - A peer to peer and peer to pool lending protocol
  • Atlendis Loans - A lending protocol supporting bullet loans, coupon bullet loans, installment loans, and revolving credit lines
  • Primitive Portfolio, previously "Hyper" - An automated market maker for custom liquidity distribution strategies
  • LooksRare - An NFT marketplace with buying, selling, and trading orders
  • Primitive RMM - Replicating market maker contracts
  • Advanced Blockchain - A series of Solidity lending projects, Substrate lending, oracle, and call adapter pallets
  • Frax - Permissionless and non-custodial stablecoin
  • Hermez - Zero knowledge proof in circom and related Solidity implementation to support these proofs
  • wAlgo - A vault implementation of a lending protocol written in Teal
  • ETH2 Deposit CLI - Review of the python CLI implementation to deposit 32 ETH as a staker

Presentations & Teaching

I'm passionate about sharing knowledge and advancing blockchain security practices through public speaking and education. Here are my key speaking engagements:

Recent Talks

  • Invariant Driven Codebases (2024) - A concise guide on creating invariant-driven codebases. This helps with not only streamlining your audits, but helps developers with writing nicer code.
  • Finding Bugs: 42 Tips from 4 Security Researchers (2024) @ Defi Security Summit - Advanced techniques for security researchers, focusing on complex testing, fuzzing methodologies, and how to make most of your time on a security review
  • Finding Bugs: 42 Tips from 4 Security Researchers (2024) @ Devcon - Outlines guidance for developers to writing safer and more concise code, so your security researchers can focus on the real bugs that really impact your system. This talk is suitable both for blockchain and application developers, as well as new security engineers interested in getting into the field.

Educational Content

  • Smart Contract Security: The Beta (2023) - Focuses on integrating security into the development lifecycle, and the importance of a security-first mindset.
  • Professor at George Brown College - Developed and delivered curriculum for smart contract development and security to classes of 45+ students
  • Fuzzing like a security engineer - Hands-on workshop with adjusted client examples, to teach different styles of fuzzing. The talk first walks through how to find invariants, then moves into using these in practice.
  • Demystifying Fuzzing - Presents the basics of how to use Echidna, and how to use it to build safer smart contracts. The talk discusses what code invariants are, how to write them, and how to use Echidna to check these.

Technical Deep Dives

As I used fuzzing in almost all of my engagements that were longer than 2 calendar weeks, I have years of experience with Ethereum-based fuzzers. In doing so, I helped found the "Fuzzing Workshop" streaming series, where we walked through fuzzing from the beginning, into more complicated systems. I ran streams for advanced defi invariants part 1 and part 2, which are outlined below. At the time, this was the first advanced fuzzing course of its nature, and continues to be an important resource for both developers and security reviewers to get started.