The SC Audit Pipeline runs as a 7-layer autonomous smart contract vulnerability discovery system. It uses 20 parallel DeepSeek agents, 22 false-positive suppression rules, 3-phase semantic deduplication, and multi-platform submission automation. The codebase totals 38,178 LOC across 98 Python files (src/ + scripts/ + tests/ + config/), with 669 passing tests at 36.4% coverage.
6 platform scrapers (Immunefi, Sherlock, C4, CodeHawks, Cantina, Hats) plus audit-count filter plus exploit-history scoring. Immunefi API shows 284 active bounties.
Slither/Aderyn integration plus Solidity version detection plus DeFi protocol identification plus OZ pattern recognition. Context-aware prompts go to each agent.
20 specialized DeepSeek agents run in parallel via asyncio.gather(). 100 concurrent calls, 1200 RPM, 5-retry exponential backoff. Cost runs $0.07/M input, $0.28/M output.
22 FP suppression rules feed a 3-phase semantic dedup (title Jaccard, then code-location, then vuln-class). 50.5% finding reduction. 98% combined FP kill rate.
Claude-guided deep verification of PM2 handoff findings. 25% survival rate (75% kill rate). Scope verification, on-chain proof, audit cross-ref. The quality gate lives here.
Immunefi (manual web form), Sherlock (AppleScript clipboard-assist plus $250 USDC stake), C4 (web form), Cantina (web form), direct email disclosure.
Verdict tracking, precision benchmarking, FP rule tuning, revenue dashboard. GitHub parsing for Sherlock judgments. Wallet monitoring for payouts.
| Layer | Current | Target | Gap |
|---|---|---|---|
| 1. Discovery | 99% | Auto-refresh new bounties weekly | |
| 2. Static Analysis | 100% | · | |
| 3. AI Multi-Agent | 100% | · | |
| 4. Synthesis | 100% | · | |
| 5. PM1 Verification | 85% | Auto on-chain proof, auto audit cross-ref | |
| 6. Submission | 80% | Playwright for Immunefi/Cantina, Synpress for Sherlock | |
| 7. Feedback Loop | 95% | Auto verdict scraping, wallet alerts |
| Max Concurrent Calls | 100 |
| Rate Limit | 1,200 RPM |
| Max Retries | 5 (exp backoff 1s → 15s) |
| Request Timeout | 180s |
| Temperature | 0.1 (deterministic) |
| Max Response Tokens | 8,192 |
| Max Prompt Chars | 120,000 |
| Max Findings/Agent | 50 |
| Max Total Findings | 2,500 |
| Max Files/Batch | 10 (200 total) |
| # | Target | Finding | Severity | Platform | Status | EV (0.3x) |
|---|---|---|---|---|---|---|
| 1 | TermMax | UUPS _disableInitializers missing (7 contracts) | CRITICAL | Immunefi ($50K) | SUBMITTED | $7K–$17.5K |
| 2 | TermMax | OdosV2AdapterV2 output token validation removed | HIGH | Immunefi ($50K) | QUEUED DAY 1 | $1.8K–$6K |
| 3 | Inverse Finance | Curve EMA oracle staleness (6 feeds + WbtcPriceFeed) | MED-HIGH | Immunefi ($100K) | QUEUED DAY 2 | $3K–$9K |
| 4 | MachFi | BandOracle._getLatestPrice() ignores staleness | HIGH | Sherlock #43 | SUBMITTED | $1K–$3.5K |
| 5 | Renegade | AccountIfExists auth pattern bypass | HIGH | C4 Bounty | SUBMITTED | $4K–$7K |
| 6 | USX/Scroll | rebalanceBySwapping() missing access control | HIGH | EMAILED | $2K–$6K | |
| 7 | Sentiment V2 | ETH_INDEX=DYDX 15,127x overvaluation | CRITICAL | Direct Disclosure | 8 MSGS SENT | $750–$2K |
| Total pipeline EV (0.3x discount) | $19.5K–$51K | |||||
| Target | Finding | Bounty | EV | Blocker |
|---|---|---|---|---|
| Ostium | 6 reinitializer() functions missing access control | $200K | $5K–$20K | Needs on-chain verification plus Immunefi cap |
| CapyFi | Whitelist bypass | $1M | $2K–$10K | Needs audit cross-ref plus Immunefi cap |
| Belong (3 findings) | Signature verification gaps (unsigned amount, replay, no nonce) | $30K comp | $3K–$9K | Immunefi competition format |
No public API. You log in, open the program, fill 7 fields, paste markdown, then submit. Rate limited 1 per 24h on Novice.
Fix · Playwright browser automation. Log in with stored session cookies. Fill dropdowns, paste the markdown body, click submit. No wallet interaction at submission time. ETA 4 to 6 hours to build.
AppleScript clipboard-assist is already built. The form auto-fills, but the $250 USDC wallet approval still needs manual confirmation.
Fix · Playwright plus Synpress (MetaMask automation). Auto-fill form fields, auto-approve the USDC stake on Arbitrum. Keep a human gate on wallet approval for safety ($250 per submission risk).
UUPS proxy verification, implementation slot reading, and initializer state checks all happen manually via Etherscan. web3.py is in requirements but no RPC verification script exists.
Fix · build scripts/verify_onchain.py, a web3.py script to read EIP-1967 implementation slots, check the Initializable storage slot (0x0 means not initialized), and verify across all chains (Ethereum, Arbitrum, Base, BSC, Mantle, Scroll). Multi-chain RPC endpoints via the LiteLLM proxy pattern.
Immunefi rule says unfixed vulnerabilities mentioned in prior reports are not eligible. Right now that means reading 5+ PDFs per target by hand.
Fix · build scripts/audit_crossref.py, which downloads audit PDFs from GitHub repos, extracts text, vector-embeds findings, and semantic-matches against ours. It flags duplicates. Cost is about $0.02 per audit report via DeepSeek embeddings.
PM1 kills 75% of PM2 findings. Today it needs human-guided Claude sessions for deep analysis, scope verification, and exploit path reasoning.
Fix · auto-scope verification via API (bounty page scraping, then asset matching), auto on-chain proof (the B3 fix), auto audit cross-ref (the B4 fix). The remaining 15% is novel exploit reasoning, which still needs Claude PM1.
Checking whether bounties are active, paused, or removed. The Sentiment bounty was dead but the pipeline didn't catch it. MachFi #43 versus #12 confusion.
Fix · a cron job pinging the Immunefi API plus Sherlock GraphQL plus the C4 API every 6h. Alert on status changes. Store bounty status in SQLite.
No API, and a code-review interface with fiddly interactions. The "New Finding" button path is simpler than the code-highlighting path.
Fix · Playwright automation via the "New Finding" button. Log in with stored session, fill severity, title, and description, then submit. No wallet component.
A human approves every action. Safest for $250 stakes. It copies title and body to the clipboard, then the user pastes.
Full browser automation. 2 to 5s realistic delays. Persistent browser profiles handle session management. 1 to 2 days to build.
| Platform | API Available? | Best Automation | On-Chain? | Risk |
|---|---|---|---|---|
| Immunefi | READ-ONLY (bounties.json) | Playwright | No | UI changes break selectors |
| Sherlock | NONE | Playwright + Synpress | Yes ($250 USDC) | $250/submission financial risk |
| Cantina | NONE | Playwright | No | Complex code-review UI |
| Code4rena | CLOSING JULY 12 | N/A | No | Platform shutting down |
| analysis/ | Context extraction, ensemble validation, agents, static analysis | ~8,000 LOC |
| synthesis/ | FP filter (841 LOC), semantic dedup, classifier, PoC generator | ~4,500 LOC |
| submission/ | Queue, Sherlock, C4, Immunefi, Cantina submitters | ~3,000 LOC |
| discovery/ | 6 platform scrapers, monitor, cloner | ~3,500 LOC |
| tracking/ | Feedback loop, revenue dashboard, wallet monitor | ~2,500 LOC |
| utils/ | Secrets, database, cache, validation, logger | ~2,500 LOC |
| SC-deepseek-v4-pro-pipeline.py | Main orchestrator | 867 LOC |
| orchestrate.py | Full pipeline orchestration | 1,159 LOC |
| auto_audit.py | Autonomous audit runner | 993 LOC |
| submit_to_contest.py | Contest submission | 621 LOC |
| benchmark_precision.py | Precision metrics | 844 LOC |
| SC-target-screener.py | Target screening (3 modes) | ~500 LOC |
| 28 more scripts | Various utilities | ~7,000 LOC |
15 test files, 10,684 LOC of test code. Strongest coverage sits in secrets (100%), fp_filter (96%), semantic_dedup (90%), ensemble (95%). Weakest sits in the orchestrator (7%), PoC generator (0%), scrapers (0 to 54%).
| 1 | Reentrancy guard blindness (OZ, custom, EIP-1153) |
| 2 | Proxy architecture blindness (UUPS, Transparent, Diamond) |
| 3 | Intentionally public functions |
| 4 | View function simulation |
| 5 | Standard Solidity behavior (zero addr, 0.8 overflow) |
| 6 | Constant/immutable storage FP |
| 7 | SafeERC20/checked arithmetic |
| 8 | Access control inheritance chains |
| 9–12 | Admin trust model, owner-only, timelock |
| 13–16 | Pyth vs Chainlink confusion, hallucinated crosschain |
| 17–18 | OZ ReentrancyGuard (global not per-function) |
| 19–20 | Delegatecall execution context blindness |
| 21 | Internal function access control FP |
| 22 | Custom math limitation acknowledgment |
| Campaign | Targets | Findings | Cost | $/Target |
|---|---|---|---|---|
| C7 | 13 | 5,384 | $2.46 | $0.19 |
| C8 | 4 | 1,709 | $0.95 | $0.24 |
| C9 | 6 | 2,363 | $0.95 | $0.16 |
| C10 | 7 | 1,528 | $0.61 | $0.09 |
| C11 | 10 | 1,890 | $0.81 | $0.08 |
| C12 | 10 | 3,201 | $1.56 | $0.16 |
| C13 | 9 | 3,631 | $1.55 | $0.17 |
| C14 | 9 | 311 | $0.17 | $0.02 |
| C15 | 5 | 810 | $0.85 | $0.17 |
| Flash (current) | $0.07/M in | $0.28/M out |
| Pro (alternate) | $0.27/M in | $1.10/M out |
| Budget remaining | $20.47 | |
| Metric | Current (Manual) | Phase 1 ($100/mo) | Phase 2 ($500/mo) | Phase 3 ($1K/mo) |
|---|---|---|---|---|
| Campaigns/month | 15 (manual trigger) | 30 (cron daily) | 60 (cron 2x/day) | 100+ (continuous) |
| DeepSeek budget | $10/mo | $50/mo | $200/mo | $500/mo |
| On-chain verification | Manual Etherscan | Auto RPC (free tiers) | Alchemy Growth ($49/mo) | Multi-chain RPC ($100/mo) |
| Submission automation | Manual forms | AppleScript clipboard | Playwright semi-auto | Playwright full-auto |
| Expected submissions/mo | 3–5 | 8–12 | 15–25 | 30–50 |
| Expected revenue/mo | $0 (pre-revenue) | $2K–$5K | $5K–$15K | $10K–$30K |
| Infrastructure | Local macOS | Local + launchd | Docker (local) | Docker (VPS $50/mo) |
The SC Audit Pipeline already runs several 100xagenticdev patterns. Here are the integration points for scaling to 20 parallel agents.
| Class | Example | Confidence | Automation |
|---|---|---|---|
| UUPS _disableInitializers missing | TermMax (7 contracts) | 1.0 | On-chain slot scan (EIP-1967) |
| Missing access control on rebalance/swap | USX rebalanceBySwapping() | 0.95 | Agent: access_control |
| Oracle staleness bypass | MachFi BandOracle, Inverse Curve EMA | 0.90 | Agent: oracle_price |
| Signature verification gaps | Belong (5 findings: unsigned fields, no nonce) | 0.80 | Agent: permit_signature |
| reinitializer() without access control | Ostium (6 functions, 5 contracts) | 0.75 | On-chain + Agent: upgrade_proxy |
| Cross-protocol adapter bugs | Sector Finance (Gearbox Curve) | 0.70 | Agent: cross_contract |
| Zero slippage on compound/harvest | Resonate (amountOutMin=0) | 0.70 | Agent: mev_sandwich |
| Redstone ms/s timestamp mismatch | Sommelier (4 instances), Sentiment V2 | 0.65 | Pattern D scan ($0 cost) |
| ERC4626 inflation (no virtual offset) | GammaSwap (MIN_SHARES ≠ virtual offset) | 0.60 | Agent: vault_share_inflation |
7 UUPS contracts missing _disableInitializers. On-chain proof shows slot = 0x0. $71.35M TVL at risk. EV $10K–$25K.
The V2 adapter removed output token validation that V1 has. Submit the second the rate limit expires. EV $3K–$10K.
6 composite oracle feeds validate Chainlink but not Curve EMA. WbtcPriceFeed has zero staleness on the primary path. EV $5K–$15K.
After the Day 2 submission, we hold 3 pending reports. Novice cap is 3. No more submissions until one resolves (3 to 7 day triage is typical).
6 reinitializer() functions missing AC across 5 contracts. $200K bounty. Needs on-chain verification first.
$1M bounty. Needs an audit cross-ref to confirm it isn't already reported.
| Priority | Component | Effort | Impact | Status |
|---|---|---|---|---|
| P0 | verify_onchain.py · web3.py multi-chain UUPS slot scanner | 4–6h | Eliminates B3 (on-chain manual) | NOT STARTED |
| P0 | Immunefi Playwright submitter · auto form fill plus submit | 4–6h | Eliminates B1 (top bottleneck) | NOT STARTED |
| P1 | audit_crossref.py · PDF download, extract, semantic match | 8–12h | Eliminates B4 (audit cross-ref) | NOT STARTED |
| P1 | Bounty status monitor · cron pinging 3 platform APIs | 3–4h | Eliminates B6 (stale bounty detection) | NOT STARTED |
| P2 | FP rules 23 to 30 · L2 sequencer, dead shares, signatures, Redstone | 2–3h | +5% FP kill rate (98% to 99%+) | NOT STARTED |
| P2 | Cantina Playwright submitter | 4–6h | Eliminates B7 | NOT STARTED |
| P3 | Sherlock Playwright plus Synpress · MetaMask auto-approve | 8–12h | Eliminates B2 (keep human gate on $250) | NOT STARTED |
| P3 | launchd plist plus cron scheduling · 24/7 operation | 2–3h | Continuous campaign execution | Docker stack ready, scheduling not |
| P4 | Multi-model ensemble · DeepSeek + Claude + GPT-4o cross-validation | 12–16h | Higher confidence, fewer PM1 kills | Architecture defined, not implemented |
| P4 | Agent performance ranking · auto-disable low-precision agents | 4–6h | Reduce noise, improve signal-to-noise | Benchmark script exists, no auto-tuning |
| # | Target | Finding | Kill Reason |
|---|---|---|---|
| K-1 | GammaSwap | ERC4626 inflation | Dead shares (MIN_SHARES=1e3 to address(0)) make the attack irrational |
| K-2 | Twyne | handleExternalLiquidation AC | Permissionless by design (like all DeFi liquidations) |
| K-3 | Twyne | onMorphoFlashLoan reentrancy | Parent holds the ReentrancyGuardTransient lock |
| K-4 | Sector Finance | coinId/threeId swap | Dormant. All deployed strategies have coinId=1=threeId |
| K-5 | Resonate | harvest() MEV | MasterChef adapters not in Immunefi scope |
| K-6 | Sommelier | Redstone ms/s | Code uses blockTimestamp (seconds), not dataTimestamp (ms) |
| K-7 | Midas | tx.origin gas dust | Gas dust only, $250 deposit not worth the risk |