60 min · EVMbench · Solana & Cross-Chain · Audit as Deliverable
Prerequisite: S11
EVMbench is the standard. The claim "our harness finds bugs" must be scored against the same 117 vulnerabilities, same 40 repos, same three-mode evaluation. Comparable, reproducible, falsifiable.
| Score | Measures | Does NOT measure |
|---|---|---|
| Detect recall | Can the harness find known bugs? | Whether it can exploit or fix them |
| Patch quality | Can it fix without breaking behavior? | Whether it can find them first |
| Exploit success rate | Can it build working PoCs? | Whether PoCs generalize to unseen bugs |
Report all three together. 90% Detect / 30% Patch / 30% Exploit = detection engine, not audit harness.
92% vs 34%
Purpose-built agents vs GPT-5.1 on DeFi-specific vulnerability classes. Nearly 3x — the difference between reliable and missing two-thirds of bugs.
What domain specificity buys: heuristic scaffolds (DeFi safety properties), tool integration (Slither/Mythril/Foundry), context engineering (function-level), cascaded verification (DeFi-specific FP filtering).
The gap is the business case for building a purpose-built harness.
"Our harness scores 88% Detect / 72% Patch / 68% Exploit on EVMbench" is a falsifiable claim competitors can compare against.
Converts "trust us, we're good" into "here is the scored evidence." The benchmark makes audit quality legible to clients who cannot evaluate Solidity security themselves.
Solana's account model creates vulnerability classes with no EVM analog. The 3-mode architecture ports; the tools and heuristics do not.
| Class | Description |
|---|---|
| Account confusion | Program accepts wrong account type — no owner/type verification. The signature Solana bug. |
| Missing signer check | Privileged action without verifying caller signed. Explicit per-account in Solana. |
| Integer arithmetic | Rust defaults to checked, but unchecked blocks/casting introduce overflows. |
| PDA misuse | Program-Derived Address mis-derivation or collision. No EVM equivalent. |
Anchor's #[derive(Accounts)] constraints reduce account confusion — but a missing has_one is a silent security gap.
Bridges are the highest-value attack surface in crypto. Billions lost 2024-2025. Wormhole ($325M), Nomad ($190M).
The vulnerability is in the cross-chain verification protocol, not a single contract: signature flaws, message-passing manipulation, relayer centralization, wrapped-asset accounting.
Bridge auditing models the protocol as a distributed system across both chains — beyond single-contract analysis.
A finding in a tool's JSON output is raw material. The audit report is the deliverable — what the client reads, what remediation acts on, what becomes the security record.
| Severity | Definition |
|---|---|
| Critical | Funds at immediate risk, exploitable now |
| High | Funds at risk under conditions |
| Medium | Logic error, no immediate financial impact |
| Low | Best-practice violation |
| Informational | Optimization or style |
Harness severity = draft. Auditor severity = final. Every severity human-confirmed before report ships.
The harness is the engine, the report is the product, the benchmark scores are the proof, the remediation support is the retention.
Pricing captures the gap between cost ($2.31/10K LOC) and value (92% detection). Client pays for finding quality, not compute time.
Next: Capstone 1 (bug bounty or appsec) or Capstone 2 (smart contract or cloud) — where the audit harness is applied to a full engagement.