Security Engineer

About Move Industries

Move Industries is building the People’s Chain, a Move-based Layer 1 blockchain, and a diverse ecosystem that empowers talented builders to create the future of finance, infrastructure, and real-world value on chain. As a core contributor to the Movement Network, we combine deep protocol engineering with open community governance, returning blockchain to its roots by giving financial power, access and opportunity back to the people.

Our Mission

Our mission is to fuel the next generation of secure, expressive, and high-performance blockchain applications through the Move programming language and scalable distributed systems. You will help unlock massive throughput, low latency, and resilience across consensus, data availability, and privacy - the invisible rails that make an open and decentralized future possible.

The Role

We are seeking a Security Engineer to join our core engineering team.

This is a hands-on offensive and defensive role. You will audit Move modules and protocol code, build tooling that finds bugs before attackers do, and own the security posture of a production Layer 1. You will work directly with protocol, runtime, and consensus engineers - and with external auditors and the broader Move security community - to make the People’s Chain one of the hardest targets in crypto.

This is not a checklist-driven compliance role. This is an adversarial systems engineering role with end-to-end ownership of how the network survives contact with sophisticated, well-funded attackers.

What You’ll Do

• Audit Move modules, protocol code (Solidity, Rust), and consensus/networking layers for vulnerabilities before they ship

• Design and build security tooling: fuzzers, invariant tests, static analyzers, formal specifications, and runtime monitoring

• Drive formal verification efforts using the Move Prover; write specifications for critical modules (token, staking, governance, bridge)

• Threat-model the protocol end-to-end - consensus, execution, data availability, bridges, RPC, validator infrastructure

• Use AI adequately to scale code review, vulnerability triage, and exploit-pattern detection across the codebase

• Own the bug bounty program and triage external reports; turn findings into engineering fixes and regression tests

• Lead security incident response, root cause analysis, post-mortems, and disclosure coordination

• Partner with engineering teams to shift security left: secure-by-default APIs, code review standards, threat models attached to every design doc

• Engage with the external security community - auditors, researchers, white-hats - and contribute back to the Move ecosystem

• Stay ahead of the threat landscape: bridge exploits, MEV, signature malleability, oracle manipulation, governance attacks, validator collusion

What We’re Looking For

• Track record of finding real vulnerabilities - public audit reports, CVEs, bug bounty wins, original security research, or notable CTF results

• Strong code-level security skills: you can read a Move module or a Solidity codebase and instinctively spot the dangerous path

• Deep understanding of at least one smart contract VM (Move, EVM, SVM) and the classes of bugs each enables

• Comfort writing real code (Move, Solidity, Rust, Python) to build security tooling - not just consume it

• Strong understanding of:

  • Smart contract vulnerability classes: access control, reentrancy and Move-equivalents, oracle manipulation, MEV, signature replay, arithmetic edge cases, upgrade hazards

  • Consensus security and BFT failure modes

  • Cryptographic primitives (signatures, hashes, ZK basics) and where they go wrong in practice

  • Bridge and cross-chain security

• Adversarial mindset: you assume the protocol will be attacked by sophisticated, well-funded adversaries on day one

• Bias toward tooling and automation: find one bug manually, then write the tool that finds the next ten

Preferred Qualifications

• Experience auditing or building Move smart contracts (Aptos, Sui, or similar)

• Experience with formal verification - Move Prover, Certora, K Framework, Coq, Lean, or similar

• Experience with fuzzing and invariant testing frameworks (Echidna, Foundry, Medusa, libFuzzer, AFL)

• Prior experience at a top audit firm (Trail of Bits, OpenZeppelin, ChainSecurity, Spearbit, Cantina, Zellic, Sigma Prime) or in-house security at a major L1/L2

• Familiarity with EVM internals, Solidity, or Rust-based VMs (CosmWasm, Solana programs)

• Published security research, conference talks, or significant open-source security tooling

• Experience running or contributing to bug bounty programs at scale (Immunefi, HackerOne, Cantina)

• Experience with incident response, on-call rotations, and disclosure coordination under pressure

Why Join Us

• True ownership of security across a production L1 - protocol, runtime, infrastructure, and ecosystem

• Work directly with protocol and runtime engineers - not as a gate, but as a partner

• Solve hard problems at the intersection of language design, distributed systems, cryptography, and adversarial engineering

• Competitive compensation with meaningful upside

• Defend infrastructure that real applications, real users, and real money depend on

Our Engineering & Ownership Culture

• Make it live. Then make it better.

• Keep It Simple Stupid (KISS)

• Extreme ownership

• No silos between “dev” and “security”