Blockchain Security Researcher

The Security Services Team

OpenZeppelin's Security Services team is responsible for the security of the world's leading web3 protocols and top financial institutions building onchain. Our researchers partner with client teams across the full lifecycle of a protocol: working on architecture and design before any code is written, co-creating novel mechanisms and primitives with engineering teams, conducting deep audits of pre-launch codebases, and providing continuous coverage as production systems evolve. Our clients range from emerging projects shipping their first contracts to global financial institutions running production onchain systems at scale.

What you'll be doing

• Review smart contracts for top decentralized applications, blockchain infrastructure and financial institutions before they launch. Find vulnerabilities, prioritize them, and present findings to the client.
• Drive audits independently from start to finish, with AI as your primary collaborator. When useful, partner with another researcher to attack the code together and pressure-test findings.
• Partner with client teams during the design phase of new protocols, analyzing architecture, trust assumptions, and operational constraints before any code is written (Design Reviews, Applied Research engagements).
• Design and help develop smart contracts as part of co-creative engagements with protocol teams, where research, design, specification, and implementation happen together.
• Use AI efficiently throughout the audit process, and build skills, agents, and workflows that compound across the team.
• Conduct open-ended research into cutting-edge blockchain technologies, vulnerability classes, and emerging attack vectors, and contribute findings back to OpenZeppelin's internal knowledge base and to the broader ecosystem.

You have

• Hands-on and practical experience in one or more of the following: software development, cybersecurity, applied mathematics, distributed systems, cryptography, cryptoeconomics or game theory, or DeFi mechanisms.
• Experience designing and developing smart contracts, not only auditing them.
• Strong working knowledge of Solidity and the broader Ethereum / EVM ecosystem (common libraries, frameworks, smart contract patterns).
• Modern AI tooling is central to how you work, not a novelty. You use it daily to expand audit coverage, reason about complex systems, and produce high-quality outputs faster. You evaluate AI-generated code with a critical eye.
• Comfort building and extending your own tooling (skills, agents, prompts, scripts, or full workflows) that the rest of the team can adopt and build on.
• An advanced English level and strong communication skills (oral and written).

Nice to have

• Experience with non-EVM ecosystems and languages, such as Canton, Move (Sui, Aptos), Golang (Cosmos SDK), Cairo (Starknet), Rust-based blockchains (Solana, Stellar), or ZK circuits and cryptography-heavy systems.
• Experience with risk assessment work in the crypto industry (smart contract risk assessment, threat modeling).
• Web2 security expertise (penetration testing, web application security, infrastructure security, or appsec).
• Experience with formal verification, invariant testing, or advanced fuzzing tools (Echidna, Foundry, Halmos, Certora).
• A track record in audit contests (Code4rena, Sherlock, Cantina) or bug bounty platforms (Immunefi, HackerOne).
• Public security research output, such as published findings, blog posts, conference talks, or contributions to open-source security tooling.

Logistics

Our interview process takes place on Google Mee and tends to consist of the following stages:

• Recruiter call (30 minutes)

• Manager interview (60 minutes)

• Technical interview (60 minutes)

• Paid work trial (code review and smart contract development assessment)

• Reference checks

Please let us know if you require any accommodations for the interview process, and we’ll do our best to provide assistance.