About

This site is a place where I share my thoughts and discoveries, mostly technology-related, but not limited to.

Work

I work at Trail of Bits where I enjoy solving hard security problems.

Posts

• hxp 39C3 CTF: slop writeup - January 6, 2026
• Hacking Blind Revisited - January 31, 2021

External

• Fuzzing between the lines in popular barcode software (blog.trailofbits.com) - October 31, 2024
• Enhancing trust for SGX enclaves (blog.trailofbits.com) - January 26, 2024

Vulnerability Disclosures

Selected vulnerabilities I found and reported.

• Coder - OIDC authentication allows email with partially matching domain to register
  Details: GHSA-7cc2-r658-7xpf | CVE-2024-27918

• Western Digital G-Technology ArmorLock NVMe SSD - Insecure Key Storage Vulnerability
  Details: WDC-21003 | CVE-2021-28653

Security Reviews

Public security reviews I worked on, please remember this is always a team effort.

• Ruby Central RubyGems.org - December, 2024
• Elixir Protocol - October, 2024
• Discord DAVE Protocol Code Review - September, 2024
• wasmCloud - October, 2023
• Worldcoin - August, 2023
• SimpleX Chat - February, 2023
• OpenVPN 2 - August, 2023
• Prallel Finance - March, 2022
• SpruceID - February, 2022
• DFINITY Consensus - February, 2022
• Soramitsu Polkaswap - August, 2021
• AlephBFT - June, 2021
• MobileCoin Secure Enclave - August, 2020

Other Publications

• Application Security Weekly Podcast #336 - Fuzzing

• Echidna: effective, usable, and fast fuzzing for smart contracts
  Gustavo Grieco, Will Song, Artur Cygan, Josselin Feist, Alex Groce
  ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

• Paged Out! #2
  Page 17 - “Ad-hoc workspaces with nix-shell” - https://pagedout.institute

Connect

Places on the Internet where you can find me:

• Twitter: arturcygan
• GitHub: arcz