A single edge case is the whole risk
DeFi doesn't grade on a curve. A contract either holds with real money at stake, or it doesn't — and the gap between "compiles" and "survives" is where protocols get drained.
One bug drains the protocol
Reentrancy, a stale oracle, a rounding edge — any one can empty a vault in a single block. A review costs a fraction of the exploit it prevents.
Vyper expertise is scarce
The Curve ecosystem runs on Vyper, but few engineers specialize in it. Generalists default to Solidity and miss what the language — and the ecosystem — actually require.
Fixing beats the post-mortem
Catching an invariant break before mainnet is a code change. Catching it after is a war room, a disclosure, and lost trust. Prevent the exploit, don't survive it.
Five ways I help teams ship safer DeFi
Productized engagements — fixed scope, fixed price, settled in USDC. You work directly with the engineer who writes the code: no account managers, no offshore handoff.
Smart Contract Development
From spec to deployed, fuzz-tested contracts — Vyper 0.4 or Solidity, architected to pass audit the first time.
- Architecture doc + threat model
- Production contracts
- Stateful fuzz + fork suite
- Testnet deploy + handoff
Audit-ready Stateful fuzzing on every build.
Security Reviews & Audits
An adversarial, invariant-first review before your code meets mainnet — or an attacker.
- Line-by-line review
- Invariant / property analysis
- Severity-ranked report
- Fix-verification round
MEV / oracle / reentrancy focus · active on Cantina & HackenProof.
DeFi Protocol Architecture
Designing how the pieces fit — stablecoins, vaults, DEXs, governance, and the routers between them — so the system is secure by composition, not by hope.
- System + economic / security model
- Composition & integration design
- MEV / oracle hardening plan
- Implementation roadmap
Proven on the TARE flywheel — four contracts, zero keys to the money.
Integrations & Hardening
Plug into the money-legos correctly — Aave, Uniswap, Curve, Chainlink — and harden against the failure modes that drain protocols.
- Integration adapters
- Oracle / TWAP setup
- MEV / sandwich resistance
- Reentrancy / CEI verification
SnekSentry, Coil, Chainlink VRF — live on testnet.
Visual Codebase Audit & Mapping
I run your Vyper/Solidity repo through my Graphify pipeline and deliver an interactive architecture map + a composition-risk report — god nodes, cyclic imports, decimal/oracle coupling risks. A map your investors and LPs can read in 10 seconds, and your new devs can onboard from in an afternoon.
- Interactive graph.html of your contracts
- GRAPH_REPORT.md — god nodes, cycles, risks
- Composition / decimal / oracle coupling flags
- 30-min recorded walkthrough
See it on my own stack — the four-protocol flywheel, mapped live.
FLYWHEEL 2.0 — closing the reinvestment loop
Four Vyper contracts composed into a single self-reinforcing DeFi loop. Every arrow is a permissionless router that moves only value the protocol has already released or earned — no admin reaches through. Live on Sepolia testnet · fuzzed & self-reviewed · not audited.
Coil DEX → fees
trades on the intent DEX accrue protocol fees
→ 3-way split
CoilFeeRouter: keep_bps → Keep, gauge_bps → veForge, rest → TARE surplus
→ Surplus → Keep + sTARE
SurplusSplitter: ≤30% emission to Keep vault, rest → sTARE savers
→ Gauges steer Keep
GaugeWeightRouter (R1): veForge votes steer Keep's capital allocation
→ Keep → CoilMakerStrategy
CoilMaker (C): primary market maker — deeper books, more volume, more fees
“No vote, keeper, admin, or caller may move a solvent user's collateral, mint on a bad price, or alter live debt. Routers only move value already released or earned — the flywheel turns on earned fees, not printed tokens.”
Keep became the ecosystem revenue accumulator. Instead of generic lending, Keep now generates proprietary yield from Coil's trading spread and fee discounts. veForge votes now have real consequences — gauge weights steer Keep's capital to CoilMakerStrategy, and TARE's surplus feeds directly back into Coil market-making. Four protocols, one closed loop.
Sepolia testnet · fuzzed · self-reviewed · not audited. Gauge weights activate at the weekly epoch boundary (Thu 00:00 UTC). CoilFeeRouter 3-way split and CoilMakerStrategy priority are FLYWHEEL 2.0 additions.
Systems built to survive real money
A full Sepolia DeFi stack — composed into a closed-loop flywheel. Each contract is led by the invariant it must survive, not the line count. Full architecture and threat models inside.
Keep as revenue accumulator, CoilMakerStrategy promoted to primary, TARE surplus reinvested into Coil market-making — four protocols turning as one self-funding flywheel
FLYWHEEL 2.0 fixes four gaps in the original Phase 3–4 design: Keep had no yield moat (generic lending → proprietary Coil spread), veForge votes were theater (no yield consequence → gauge weights steer real capital), TARE's peg defense was single-line (Curve pool only → surplus reinvestment loop adds second line), and Coil needed seeded liquidity (no order flow → Keep's CoilMakerStrategy is now primary). The result: a closed profit loop where more volume → more fees → more surplus → deeper liquidity.
CoilFeeRouter 3-way split · Keep → CoilMakerStrategy (primary) · SurplusSplitter ≤30% to Keep · GaugeWeightRouter steers capital · fork-proven on Sepolia
veForge — ve-tokenomics
Curve-style vote-escrow, gauges & bribes rebuilt in Vyper 0.4 — the governance layer that steers emissions without ever touching funds.
SnekSentry — Aave V3 liquidation kit
Inventory-funded executor + off-chain bot that gets Aave's void liquidationCall right, with balance-delta guards that kill sandwich and slippage attacks. No flash loans.
LEVY — bad-debt recovery marketplace
Wraps impaired LlamaLend positions into transferable DebtClaim tokens — a liquid exit for lenders, a par-redemption path for speculators, on a monotonic par-coverage invariant.
NodeJackPot — provably-fair raffle
On-chain elimination raffle with Chainlink VRF 2.5, quadratic ticket pricing, pull-payment payouts, and reentrancy guards.
Tribute — O(1) subscription engine
Replaces one storage slot per subscriber with a single Merkle root — membership for any number of subscribers in 32 bytes, proven on demand.
Solidity → Vyper 0.4 migration
Five OpenZeppelin contracts ported to Vyper 0.4 with a Snekmate module map and pattern catalog — the fast path off Solidity.
Building something similar? Book a call →
Fixed scope. Fixed price. No surprises.
Every engagement is scoped to a fixed price and timeline before any work starts — so you always know what you're getting and what it costs.
Scoping call
We talk through what you're building. Within 24h you get a 1-page Statement of Work — scope, deliverables, fixed price, timeline.
Fixed scope, fixed price
Sign the SOW, 50% to start in USDC. Engagements over $5k can run through escrow — your choice, no extra cost.
Milestone build
I build in the open with daily progress over Telegram / email. You watch invariants and tests go green as we go.
Delivery + support
Code, tests, and report shipped. Final 50% on acceptance. 7 days of post-delivery support included.
One engineer, working in the open
I'm Khomenkov Yuriy (KhomDev) — an independent Vyper and DeFi engineer focused on the Curve ecosystem and protocol security. I don't ship isolated demos; I build composed systems where a stablecoin, ve-governance, a vault, and a DEX reinforce each other through small permissionless routers that move value but never hold a key to it.
My discipline is the same on every repo: write the invariant first, fuzz it hard with Hypothesis stateful machines, prove the risky integrations on a Sepolia / mainnet fork against the real contracts, then review my own work in the open and publish the trace.
Solo is a feature. You work directly with the engineer who writes the code — no account managers, no offshore handoff. Escrow and milestone delivery keep it low-risk.
Invariant-first
One carried rule on every contract — no actor moves a solvent user's funds. The system is built to keep it.
Fuzzed, fork-proven
Hypothesis stateful suites + Sepolia-fork runs against real Coil & real Curve pools.
Open & honest
Self-reviewed in public, on-chain traces published — audit-ready, and clear about what an independent audit still adds.
Verified
Chainlink Developer verification · public Cyfrin profile · active on Cantina & HackenProof.
Verifiable, not anecdotal
Reports filed on live bug-bounty programs — PoC-backed and judged on their merits by independent triage.
Fee-accounting edge in applyFee()
A base-asset quantity (minSize) mixed into quote-unit fee accumulators, understating the per-fill minimum fee for sub-minSize fills. Filed with a Foundry PoC. Independent triage: "a well-researched observation … technically valid."
Outcome: closed Informative — protocol-revenue edge, no user-fund risk / out of bounty scope. Full report on request.
LayerZero batch-atomicity issue
A single reverting claim in _executeClaims aborts the entire inbound LZ batch, forcing endpoint.clear() + manual re-execution of valid co-batched claims. Filed with write-up + PoC. Independent triage: "thorough write-up and PoC."
Outcome: closed Out of scope — UX/operational (no fund loss, no unauthorized access, retryable). Full report on request.
exitToNear panic + XCC overflow
Two findings with passing PoCs covering a potential panic path in the NEAR exit bridge and a cross-contract overflow — submitted through the HackenProof program for the Aurora engine.
Outcome: submitted — verdict pending. Report available on request.
Client testimonials are on the way — engagements run under NDA until clients approve attribution. No quote here is published without a name behind it.
Need an agent for your stack? I'll build one for $299.
Same discipline as the 7-agent suite monitoring my own stack — adapted to yours. Monitoring, alerting, deploy verification, content generation, data extraction — whatever fits a deterministic Python agent with a CLI entry point.
- ▸ Python agent with CLI
- ▸ Tests (pytest, green)
- ▸ Docs (README + inline)
- ▸ One round of revisions
- ▸ 7-day follow-up support
This is a fixed-scope product — a single deterministic Python agent with CLI and tests. Complex multi-agent systems, production hosting, or ongoing maintenance are scoped separately.
The questions teams ask first
Are you audited?
My own systems are self-reviewed, stateful-fuzzed, and fork-tested on Sepolia, and I build every system audit-ready. I'm not a substitute for an independent audit before mainnet — I make that audit faster and cheaper, and I can coordinate one.
How do payments and escrow work?
Fixed scope, fixed price, settled in USDC (Request Finance or Coinbase Commerce). 50% to start, 50% on delivery. Engagements over $5k can run through a Safe multisig with a neutral signer or Kleros escrow — your choice, no extra cost.
Why Vyper?
Vyper's smaller surface area and explicitness remove whole classes of bugs, and it's the native language of the Curve ecosystem. Few engineers specialize in it — that scarcity is exactly why teams bring me in.
What's your turnaround?
Reviews in days, integrations in 1–2 weeks, full builds in weeks — every engagement is scoped to a fixed timeline before we start. 24h reply on inquiries.
Do you deploy to mainnet, and do you work solo?
Yes to testnet and mainnet deployment with handoff. And yes, solo — you get the engineer, not a sales team. Escrow and milestone delivery keep it low-risk.
Shipping something that can't afford a bug?
Tell me what you're building. You'll have a fixed-scope, fixed-price plan within 24 hours.
Book a call