~/anukul/experiments · 0% cool · 100% shipped

BLOCKCHAIN
BACKEND
& SECURITY

i’m Anukul Pandey — i ship production protocol infrastructure (indexers, explorers, data APIs) on EVM chains, and i break web apps with permission. 3+ years, 10+ chains, an acknowledged bug-bounty researcher, and everything ends up on a subdomain.

Indore, India · UTC +5:30 · open to remote

3+years shipping protocol infra
10+chains / protocols added
17+bug-bounty programs reported
50+merged open-source PRs

experience

  1. Jan 2023 – Jun 2026

    Reef Chain Blockchain Backend Engineer

    Built and ran indexers, the Reefscan explorer, and data APIs polling in lockstep with the 10-second block time (~8,600 syncs/day, indexed data within ~10s of chain head). Led the EVM migration from Substrate-EVM to PolkaVM — shipped the @reef-chain/evm-util-lib SDK, a Reefswap Uniswap-V2 fork, the Sqwid NFT marketplace, a Blockscout explorer fork, a Rust resolc contract verifier, and node/validator infra. Cut a 3–4 hr release process to ~2 min, and fixed the qix npm supply-chain vuln.

    IndexersBlockscoutPolkaVMTypeScript SDKRustDocker
  2. Apr 2025 – present

    Kokopai Blockchain / Full-Stack (Freelance)

    Built the multi-chain wallet & payments layer for a creator-first AI video + NFT platform: WalletConnect + MetaMask SIWE auth, Reown multi-chain support, chain-aware routing, a canonical blockchain server, and a hot-reload Docker dev stack (Colima, Infisical).

    WalletConnectSIWEReownmulti-chain
  3. Jan 2026 – Feb 2026

    Sixth Sense AI Frontend / Product (Contract)

    Built a cross-platform desktop app with Tauri (Rust) + React + TS for an AI venue product: an AI chat assistant, structured menu CRUD, guest-feedback UX, and crash/performance triage.

    TauriRustReact
  4. Nov 2024 – May 2025

    Darve Full-Stack (Freelance)

    Built the Flutter mobile app for a social challenges & payments platform — passkey auth, chat, challenges, notifications, in-app Stripe payments — plus Rust backend services for auth, Stripe webhooks, and transaction APIs.

    FlutterRustStripepasskeys
  5. Jun 2023 – Jul 2025

    SigNoz Technical Writer (Freelance)

    Authored 50+ merged PRs (docs + sample apps) across 15+ stacks — PHP, Rust, JS/TS, Python, Java, .NET, Go, Elixir, Swift, Kotlin, RN, Next.js, Nginx — covering OpenTelemetry app- and OS-level instrumentation.

    OpenTelemetrydocs15+ stacks
  6. 2021 · 2022 · Indore

    Volvo Eicher & ACOEM Ecotech Engineering Interns

    Replaced paper defect-tracking across 8 assembly zones with a QR-driven web app (zone forms + SMS alerts) and a paperless records app (Flask, PyMongo). Earlier, environmental-monitoring instrumentation + Kaizen process proposals.

    FlaskPyMongoQR + SMS

projects & ventures

not just blockchain — an AI contract auditor, a freelance SaaS, security tooling, client landing pages. every screenshot captured live: pulled from the running site, or cloned & run locally just for this wall.

Droppie — airdrops that land founder
01

Droppie

No-code tool to turn a CSV into a gas-efficient Merkle-proof airdrop on any EVM chain — deployed straight from your wallet, claimable in one click. App + server + Solidity.

Merkle proofsEVMno-code
droppie.notcool.in ↗
GateKeep — pay-per-call API gate live
02

GateKeep

Stripe for AI-agent API calls. Wrap any REST endpoint in a pay-per-call gate — agents pay in USDC over the open x402 protocol, on-chain, no API keys, no humans in the loop.

x402USDCAvalanche
gatekeep.notcool.in ↗
Reefscan explorer live
03

Reefscan Explorer

Blockchain explorer + indexers syncing with the 10s block time (~8,600 syncs/day). CoinGecko-compatible supply APIs, cross-chain supply accounting, 4 exchange/on-ramp integrations.

explorerindexersupply APIs
reefscan.com ↗
AuditShield — AI contract auditor AI
04

AuditShield

An AI-powered smart-contract auditor. Paste a BSC/opBNB address or code — it fetches verified source, analyses 50+ vulnerability patterns, simulates transactions, and publishes audit attestations on-chain.

AIsecurityBNB Chain
bug-hunting research console private
05

Bug-Hunting Console

My private bug-bounty research console — password + WebAuthn security-key gated. Where the recon notes, payloads and findings live before they become disclosures.

WebAuthnsecurityrecon
live (gated) ↗
Tryo — AR makeup try-on live
06

Tryo

Never guess your makeup shade again. Paste any product link — Nykaa, Sephora, Amazon, MAC — and Tryo extracts the true pigment and renders it on your face in real time (468-pt mesh, AI shade-matching).

AR try-onface meshAI
tryo.notcool.in ↗
Volt — freelance business suite SaaS
07

Volt

Your entire freelance business in one place — time tracking, invoicing, expenses & tasks, beautifully designed and seamlessly integrated. Full marketing site + app.

SaaSfreelanceproduct
Deepti Ecostays client
08

Deepti Ecostays

A booking site for a private eco-farmhouse in Madhya Pradesh — “slow mornings under the teak canopy.” Full landing with gallery, surroundings, tariff and one-tap call / WhatsApp.

landingclient workbooking
deeptiecostays.in ↗
Coding Jungle 4.4k+
09

Coding Jungle

Co-founded content brand — your hub for hacking, AI & tech. Bite-sized ethical hacking & cyber-security, plus a blog for the long-form breakdowns. 4,400+ followers across IG, Telegram & more.

contentpentestingcommunity
cj.notcool.in ↗
Reef Name Service grant
10

Reef Name Service

ENS-style on-chain naming — registry, ERC-721 base registrar, commit/reveal controller, public resolver + web app. Reef Community Developer Fund grant recipient.

SolidityERC-721commit/reveal
github ↗
wa-spammer tool
11

wa-spammer

One console line, N WhatsApp messages. A tiny DevTools snippet generator for WhatsApp Web — fill in message, count & delay, copy, paste. Zero install, all client-side.

vanilla JSDevToolszero-install
try it ↗
Security tooling tooling
12

Offensive tooling

Open-source security tools: sqlinjector (SQLi scanner + dork scanner), LFI-Hunter, a dir-buster, a WebRTC deanonymization PoC, and a qix npm supply-chain scanner.

PythonSQLiLFIWebRTC
github ↗

security research

responsible disclosure only. some findings are public, most stay under wraps — here’s what’s on the record.

HackerOne profile — Anukul Pandey (0xanukul)
verified · hackerone.com/0xanukul

A resolved GitHub bug bounty ($500), GitHub Thanks & reputation, hunting since 2022. Screenshot straight from the public profile — click through to verify.

$500 · resolvedbroken access control

GitHub

Surfaced an access-control gap in organisation internal repositories — an external, non-member collaborator could hold hidden push access that didn’t surface in the members list. Reported via HackerOne, triaged & fixed. GitHub Thanks · reputation 22.

hall of fameXSS

Domino’s

Cross-site scripting on a public surface — reported and acknowledged in Domino’s official responsible-disclosure hall of fame.

disclosedweb app

Khalsa College

A web-app vulnerability responsibly reported & documented to the institution — patched after disclosure.

reported across 17+ programs

GitHubDomino’sWalt DisneyAutomattic / Tumblr Linux FoundationPolygonLinkedInVercel Chia NetworkLightsparkDatabricksNew Relic eToroBasecampKradenPanther LabsJudge.me

how i hunt

OWASP Top 10 the manual way — SQLi, LFI, XSS, broken auth, access-control & logic flaws — with Burp Suite plus my own tooling: sqlinjector, LFI-Hunter, a dir-buster, a WebRTC deanonymization PoC and a qix npm supply-chain scanner.

I break it down in public on Coding Jungle, keep open teardown notes in nice-catch, and file everything responsibly — reports first, writeups later.

skills

web3 / protocol

Indexers, explorers, EVM/PolkaVM, contract dev & testing, protocol forking, Substrate/Polkadot, Hardhat, wagmi/ethers, MetaMask, IPFS

languages

TypeScript, JavaScript, Python, Rust, Solidity, C++

backend & devops

Node.js, Flask, Docker, Nginx, CI/CD automation, Linux, Bash, Git, OpenTelemetry

databases

PostgreSQL, MongoDB

frontend / mobile

React, Next.js, Vue, Nuxt, Flutter, Tauri

security

Web app pentesting, vuln research & responsible disclosure, exploit tooling, OWASP Top 10 (SQLi, LFI, XSS, broken auth), Burp Suite

channels

i build in public. security & code, mostly.

no cookies. no popups.
no newsletters. just work.

cool is a cage. this is where i keep the receipts — protocols i forked, apps i shipped, bugs i reported. every experiment gets a subdomain and a burst of hyperfocus.

hand-rolled · html · css · vanilla js · no framework · no tracking · just vibes

achievements

  • 🥇 1st place — Reef India Hackathon (10+ teams, $1,000)
  • 🏆 Winner — Gelato Hackathon
  • 💰 Reef Community Developer Fund grant (Reef Name Service)
  • 🎓 B.Tech E&I, SGSITS Indore — CGPA 8.62/10
  • 🎤 Web3 talks across 4 colleges · GDG Indore workshop