Projects

This project focuses on advancing automated security testing of GraphQL APIs through innovative research and tooling. We have developed and released two major research contributions that enhance GraphQL testing capabilities through different approaches. Research Contributions Wendigo: Deep Reinforcement Learning for Denial-of-Service Query Discovery in GraphQL Wendigo is a black-box Deep Reinforcement Learning approach that discovers Denial-of-Service exploitable queries against GraphQL applications. Using only the GraphQL schema, Wendigo can discover queries capable of performing DoS attacks with just two requests per hour, as opposed to the high volume required by traditional attacks. BenGQL: An Extensible Benchmarking Framework for Automated GraphQL Testing (ASE 2025) BenGQL is an extensible benchmarking framework containing 23 representative open-source GraphQL server applications. This framework enables rigorous evaluation of automated testing tools across different GraphQL engines and schema complexities. Ongoing Research We are currently exploring advanced AI techniques, including Large Language Models, to further enhance GraphQL security testing capabilities. This research aims to develop more sophisticated and context-aware testing approaches. Collaboration Interested in collaborating on GraphQL security research? We welcome partnerships with researchers and industry professionals working on API security, automated testing, and AI-driven security tools.

15 Sep 2025

The project aims to develop a fuzzing framework based on LibAFL for multi-process applications. The name is a placeholder and will be revealed after publication.

1 Aug 2025

Eulibra is a sophisticated DeFi strategy framework that won 3rd Place in the EulerSwap Builder Competition. The project tackles the complex challenge of market balancing strategies for uncorrelated asset pairs like WSTETH/USDC through innovative arbitrage and liquidity provision mechanisms.

21 Jul 2025

PolyMirror.AI is a Web3 application that enables paying for AI services using cryptocurrency (POL) through EIP-712 vouchers. The project received Honourable Mention in the “Polygon Track” at the Vibe Coding Hack by Encode.

22 Jun 2025

LibAFLstar is a fast and state-aware protocol fuzzer that addresses the challenges of fuzzing stateful software systems. Unlike stateless approaches, LibAFLstar efficiently explores state models, focuses on interesting states, tracks relevant messages per state, and handles expensive system restarts.

21 Jun 2025

TonAI Stark is an AI-powered DeFi assistant for StarkNet that won 2nd Place in the “Starkware AI x DeFi” Track at the Encode AI London 2025 Hackathon. Think JARVIS meets Web3 - an intelligent assistant that simplifies crypto interactions with clarity, confidence, and a touch of sarcasm.

15 Feb 2025

Flare-FL is a decentralised Federated Learning (FL) framework built on the Flare blockchain, developed for ETHOxford 2025. The project won Pool Prize in the “Flare: Enshrined Data Protocols” Track and Nerdo Awards in the “DeSci World” Track for being the “most likely to disrupt” project.

9 Feb 2025

Proteus is an LLM-powered lending agent for the Aave V3 protocol designed to automate and optimise lending strategies. The project won 1st Place in the RNDM Agent Track at the Encode London 2024 Hackathon.

25 Oct 2024

Leading the project based on the paper “Fuzzing Matter(s): A White Paper for Fuzzing the Matter Protocol”, which aims to perform stateful fuzzing of Matter-enabled device.

23 Feb 2024

People’s privacy control over the personal data that they generate and consume while they drive modern cars is extremely weak at present. There is historical as well as recent evidence that car brands harvest a variety of personal data from drivers and, arguably, full compliance of their processing with the European General Data Protection Regulation is questionable. PECS revolutionises modern car ecosystems for what concerns the processing of personal data. It does so by advancing, tailoring to the specific domain and, ultimately, combining together both soft and hard privacy measures. The project raises drivers’ soft privacy through the PECS interface for static and dynamic control of personal data, so that drivers can decide what to share and with whom and when, as well as follow and control the flows of data at service run time by means of multy-sensory media techniques. Hard privacy thrives in the project through a combination of obfuscation techniques including Federated Analytics, Secure Multi Party Computation and Pseudonymisation, so that drivers are enabled to keep their personal data opaque to anyone from the outset. All developments proceed from the established academic laboratories of UNICT-UNIMORE, then are demonstrated in the operational environment of MASA-UNIMORE, reaching TRL7. The PECS results stem from the open-source, open-Internet approaches, hence bear huge technical, societal and industrial impacts, bringing Europe at the forefront of data protection, at least in the automotive domain. PECS also brings forward a whole new range of business opportunities such as various forms of software support for its technologies, and of renewed car services leveraging privacy-by-design-by-default. Finally, PECS provides the necessary grounds favouring the inception of a new breed of services that would be naturally enrooted on drivers’ sensitive data such as sexual, religious and political orientations, e.g. apps for dating, praying and debate on political topics.

20 Jan 2024