SC audit pipeline · campaign 19

Triple workload session · 2026-05-15 · Session 4

Targets scanned

14,192

Total findings

2,899

H-severity

$8.03

DeepSeek cost

PM1 candidates

$25.6M

Bounty pool

$26.16

Balance left

$0.26

Avg per scan

Scan heatmap · 31 targets by findings count

891

849

816

770

739

719

681

652

619

610

510

499

494

462

460

451

423

379

371

368

362

306

304

282

272

267

220

159

103

Top 10 PM1 handoff candidates

V-01 Ethena · mintWETH() missing MINTER_ROLE 0.98

$3,000,000 bounty (Immunefi)

access_control agent · EthenaMinting.sol · if real, unauthorized minting of WETH-backed USDe

V-02 Morpho Blue · MorphoInternalAccess missing AC 1.00

$2,500,000 bounty (Cantina)

access_control agent · update() and increaseInterest() · if real, direct market state manipulation

V-03 Pendle · unsafe int256 to uint256 cast 0.98

$2,000,000 bounty (Cantina)

oracle_price agent · _applyFeedMultiplier · negative Chainlink price wraps to huge uint

V-04 Reserve Protocol · ExchangeRateOracle staleness 0.95

$10,000,000 bounty (Cantina)

oracle_price agent · exchangeRate() · missing freshness check on exchange rate

V-07 Lombard · decimal mismatch in BTCB/CBBTC PMM 0.95

$250,000 bounty (Immunefi)

oracle_price agent · PMM contracts · incorrect price scaling between BTC wrapped assets

V-09 Alchemix V3 · Frax oracle missing freshness 0.95

$300,000 bounty (Immunefi)

oracle_price agent · FraxDualOracleAdapter · latestRoundData() without timestamp check

V-10 Lista DAO · CDPLiquidator flash loan reentrancy 0.95

$1,000,000 bounty (Immunefi)

reentrancy agent · onFlashLoan · external calls before state updates in callback

V-06 PancakeSwap · uninitialized vault implementation 0.95

$1,000,000 bounty (Cantina)

upgrade_proxy agent · Vault contract · same pattern as TermMax S-01

V-08 Nucleus · underflow in CellarMigrator 0.95

$500,000 bounty (Immunefi)

oracle_price agent · completeMigration() · unchecked arithmetic in migration

V-05 Chainlink CCIP · executeSingleMessage no guard 0.95

$3,000,000 bounty (Immunefi)

reentrancy agent · OffRamp · missing reentrancy guard on message execution

All scans · full results table

#	Target	Bounty	Findings	H	Specific H	Cost	.sol
1	reserve-protocol	$10M	891	204	106	$0.45	313
2	termmax-v2	$50K	849	213	109	$0.36	239
3	lista-dao	$1M	816	162	85	$0.36	190
4	pendle	$2M	770	167	78	$0.36	205
5	stakewise-v3	·	739	162	76	$0.31	176
6	origin-dollar	·	719	125	58	$0.41	253
7	beanstalk	·	681	180	107	$0.43	226
8	across-protocol	·	652	167	84	$0.41	292
9	radiant-v2	·	619	156	84	$0.33	147
10	open-dollar	·	610	115	68	$0.32	208
11	etherfi	$300K	510	89	45	$0.34	206
12	lombard	$250K	499	93	52	$0.24	95
13	ribbon	·	494	95	47	$0.24	88
14	alchemix-v3	$300K	462	104	67	$0.22	88
15	euler-vault	·	460	118	47	$0.17	84
16	flare-fassets	$250K	451	73	36	$0.32	165
17	nucleus	$500K	423	73	41	$0.30	232
18	velodrome	·	379	76	48	$0.23	80
19	ajna	·	371	53	32	$0.38	195
20	gearbox-v3	$200K	368	58	28	$0.14	69
21	thirdweb	·	362	53	28	$0.36	331
22	chainlink-ccip	$3M	306	52	28	$0.28	82
23	liquity	·	304	60	39	$0.18	82
24	aave-v3	$1M	282	52	24	$0.28	110
25	pancakeswap-per	$1M	272	39	22	$0.16	91
26	pancakeswap-inf	$1M	267	29	21	$0.18	87
27	paraswap	·	220	41	22	$0.11	63
28	ethena	$3M	159	28	16	$0.06	51
29	gamma	·	103	19	14	$0.03	20
30	morpho-blue	$2.5M	88	31	25	$0.03	29
31	monetrix	$22K	66	12	7	$0.03	20

Budget progress

Starting balance was $34.19, after a $20 top-up.

C19 spend came to $8.03.

Ending balance sits at $26.16.

$26.16 remaining (76.5%)

Cumulative spend C7-C19 is roughly $17.26, or about 57 more scans at the current rate.

API usage summary

DeepSeek API

Calls ran to about 4,800 estimated.

Cost landed at $8.03.

Model was deepseek-chat.

Scans covered 31 targets.

Other APIs

Immunefi API took 1 call, with cached bounties.

GitHub handled 32 git clones.

WebSearch ran about 5 queries.

WebFetch pulled about 3 pages.

Campaign comparison · C7 to C19

Campaign	Targets	Findings	Cost	New
C7	13	5,384	$2.46	13
C8	4	1,709	$0.95	4
C9	6	2,363	$0.95	6
C10-C15	various	various	$0.60	various
C16	4	65	$0.00	4
C17	285 scans	0 new	$0.00	0
C18	53	11,055	$6.28	0 (re-scan)
C19	31	14,192	$8.03	31

What landed and what stalled

What worked

31 new targets in a single session
$8.03 DeepSeek spend, past the $8 minimum
$25.6M in bounty pool coverage
10 PM1 candidates across 17 bounty targets
Parallel scan run, roughly 30 min for all 31
Target discovery off Immunefi cached data

What didn't

HackenProof still 403 blocked
Olas C4 repo scan failed on a structure issue
USDT0 repo came back as an empty clone
Code4rena shutting down on May 13, 2026
Most H findings are generic reentrancy false positives
Well-audited protocols yield about 0% actionable