Arbitrum Security Council — March 2026
Vahe Karapetyan (kemmio), Co-Founder and CTO of Hexens
1. About Me
I’m Vahe Karapetyan (kemmio), Co-Founder and CTO of Hexens. Since the start of my career in cybersecurity over 15 years ago, I’ve won dozens of international security competitions (CTFs), discovered critical vulnerabilities in widely used software and critical systems, built security tooling used in live incident response, and helped protect the largest protocols in Web3.
Hexens - after 5 years of operation and hundreds of security reviews, is still holding a perfect track record of post-audit hacks.
My candidacy is grounded in deep technical expertise, real war room experience, and a track record of protecting critical infrastructure at scale.
2. Technical Credentials & Security Expertise
Incident Response & War Room Experience
The Arbitrum Security Council’s core function is emergency response. Due to the nature of our tools (and not only), I also have direct, hands-on experience in one of the biggest cases, like:
-
Thirdweb hack: Cooperated with chains and used Glider to determine the blast radius and help identify all affected projects
-
Balancer hack: scanned the whole integrated chains (using the same tools) to identify affected contracts and proactively notified projects before they were exploited within 15 minutes after the hack became public.
-
Solidity bug case - again, Glider was used to search for affected projects, allowing us to proactively notify them before they were exploited (more in the section below).
Blockchain & EVM Security Expertise
My primary areas of expertise are VM and low-level component security, EVM and blockchain internals, zero-knowledge proof auditing, reverse engineering, and vulnerability research.
Highlights include:
-
Discovered a Solidity compiler bug: TSTORE poison - publicly disclosed at hexens.io/research/solidity-compiler-bug-tstore-poison. This is the first reported maximal severity finding in Solidity since 2016.
-
Built Glider - the scalable vulnerability and data research tool for smart contracts (we also run an Ethereum Foundation grant-funded contests for it), which has been used in live incident response scenarios
-
Pioneered security reviews for novel technologies, defining the methodologies, such as zero-knowledge execution environment security, including the first ever done zkEVM and zkVM audits for Polygon and RISC0.
Relevant Credentials & Affiliations
-
Member of the wider Security Alliance (SEAL) community.
-
Member of the Polygon and Bitcoin security councils
-
Hexens is an approved auditor on the Arbitrum Audit Program
-
Hexens has completed 250+ audits securing $120B+ in on-chain value for clients including EigenLayer, Lido, 1inch, LayerZero, PancakeSwap, and Ava Labs
Competitive Security Background
I am a winner of over 20 international cybersecurity competitions (CTFs), both solo and as a member of the world-renowned team MSLC.
3. Arbitrum & Ecosystem Alignment
Hexens has an established and growing relationship with the Arbitrum ecosystem. We are an approved auditor on the Arbitrum Audit Program and have completed security engagements across Arbitrum-deployed protocols. Joining the Security Council is not a new relationship with Arbitrum - it is a deepening of one already grounded in protecting its builders.
Hexens has audited protocols across Ethereum, Arbitrum, Avalanche, Polygon, BNB Chain, Solana, Filecoin, and more. Our public audit reports are available at: GitHub - Hexens/Smart-Contract-Review-Public-Reports: List of the public smart contract audit reports and security reviews performed by Hexens. · GitHub
Beyond client work, we are invested in the broader health of on-chain security infrastructure. Our RCTF (ctf.r.xyz) - a Web3-focused CTF that has become the largest in the space by many metrics - is one expression of this. Security culture matters as much as security tooling, and we are building both.
4. Operational Security & Availability
The Security Council must be able to act decisively at any hour. I take this obligation seriously and have structured my approach to it accordingly:
-
Availability: As CTO of an active security firm, I operate on an incident-response mindset by default. Emergency availability is not a new behaviour for me - it is already how Hexens operates
-
Drills and flag day events: I am committed to participating in all security drills and Foundation-organised events
-
Transparency: I will document actions and contribute to post-mortems and transparency reports following any emergency action
5. Independence & Conflict of Interest
Hexens operates as an independent cybersecurity provider. We hold no governance tokens, have no validator or sequencer interests, and carry no financial stake in Arbitrum’s direction beyond our desire for the ecosystem to be secure and credible. Our commercial relationship with Arbitrum is as an approved auditor - a role that aligns directly with the Security Council’s mandate.
Our multi-ecosystem presence (Ethereum, Solana, Arbitrum, Polygon, and others) means we have no single-chain loyalty that could bias our judgement in an emergency. We audit competing protocols. This breadth is a strength: it gives us a wide-angle view of cross-chain attack patterns and vulnerability classes that single-ecosystem actors may miss.
I am not aware of any conflicts of interest that would impair my ability to act in the best interests of the Arbitrum DAO as a Security Council member. If any arise during my tenure, I will disclose them promptly and recuse myself where appropriate.
6. Why Now
Arbitrum is at an inflection point. The Stylus upgrade significantly expands the smart contract execution surface beyond Solidity into Rust and C++, introducing vulnerability classes that most existing council members and auditors have limited exposure to. My background in low-level systems security, VM internals, vulnerability research and reverse engineering is directly relevant to evaluating risks at this layer.
Separately, having built Glider - a purpose-built tool for real-time smart contract vulnerability scanning that can accelerate blast radius assessment in an emergency scenario. This has already been demonstrated in production during the Thirdweb, Balancer and SOLC bug incidents.
My approval on the Arbitrum Audit Program means this candidacy is part of a broader, longer-term commitment to the ecosystem.
7. Contact & Community Engagement
I welcome questions from delegates - both technical and background. If you want to dig into my approach to a specific vulnerability class, how Glider works in an incident, our methodology at Hexens, or anything else relevant to this role, please reply in this thread or reach out directly.
Telegram - @kemmio
X - @kemmio
Email - v.k@hexens.io