Advanced Smart Contract Harnesses

Module S12 · Course 2A · Pillar 4 — Smart Contract Security

60 min · EVMbench · Solana & Cross-Chain · Audit as Deliverable

Prerequisite: S11

S12.1 — Benchmarking Against EVMbench

EVMbench is the standard. The claim "our harness finds bugs" must be scored against the same 117 vulnerabilities, same 40 repos, same three-mode evaluation. Comparable, reproducible, falsifiable.

The three scores that matter

ScoreMeasuresDoes NOT measure
Detect recallCan the harness find known bugs?Whether it can exploit or fix them
Patch qualityCan it fix without breaking behavior?Whether it can find them first
Exploit success rateCan it build working PoCs?Whether PoCs generalize to unseen bugs

Report all three together. 90% Detect / 30% Patch / 30% Exploit = detection engine, not audit harness.

The 92% vs 34% gap

92%  vs  34%

Purpose-built agents vs GPT-5.1 on DeFi-specific vulnerability classes. Nearly 3x — the difference between reliable and missing two-thirds of bugs.

What domain specificity buys: heuristic scaffolds (DeFi safety properties), tool integration (Slither/Mythril/Foundry), context engineering (function-level), cascaded verification (DeFi-specific FP filtering).

The gap is the business case for building a purpose-built harness.

Benchmark as product differentiator

"Our harness scores 88% Detect / 72% Patch / 68% Exploit on EVMbench" is a falsifiable claim competitors can compare against.

Converts "trust us, we're good" into "here is the scored evidence." The benchmark makes audit quality legible to clients who cannot evaluate Solidity security themselves.

S12.2 — Solana and Cross-Chain

Solana's account model creates vulnerability classes with no EVM analog. The 3-mode architecture ports; the tools and heuristics do not.

Solana vulnerability classes

ClassDescription
Account confusionProgram accepts wrong account type — no owner/type verification. The signature Solana bug.
Missing signer checkPrivileged action without verifying caller signed. Explicit per-account in Solana.
Integer arithmeticRust defaults to checked, but unchecked blocks/casting introduce overflows.
PDA misuseProgram-Derived Address mis-derivation or collision. No EVM equivalent.

Anchor's #[derive(Accounts)] constraints reduce account confusion — but a missing has_one is a silent security gap.

Cross-chain bridge security

Bridges are the highest-value attack surface in crypto. Billions lost 2024-2025. Wormhole ($325M), Nomad ($190M).

The vulnerability is in the cross-chain verification protocol, not a single contract: signature flaws, message-passing manipulation, relayer centralization, wrapped-asset accounting.

Bridge auditing models the protocol as a distributed system across both chains — beyond single-contract analysis.

Harness adaptations for Solana

3-mode architecture PORTS (Detect/Patch/Exploit)
Static analysis: Solana-specific — Anchor constraint checking, custom Semgrep for Rust
Exploit PoCs: bankrun / solana-test-validator with mainnet snapshot (not Foundry)
Invariant extraction: same strategy, Solana-shaped invariants ("vault token balance == sum deposits")

S12.3 — Audit as a Deliverable

A finding in a tool's JSON output is raw material. The audit report is the deliverable — what the client reads, what remediation acts on, what becomes the security record.

Report structure & severity

1. Scope (contracts, commit, dates) → 2. Methodology → 3. Findings table → 4. Severity breakdown → 5. Detailed findings (PoC + patch) → 6. Remediation roadmap
SeverityDefinition
CriticalFunds at immediate risk, exploitable now
HighFunds at risk under conditions
MediumLogic error, no immediate financial impact
LowBest-practice violation
InformationalOptimization or style

Harness severity = draft. Auditor severity = final. Every severity human-confirmed before report ships.

Audit as product

The harness is the engine, the report is the product, the benchmark scores are the proof, the remediation support is the retention.

Pricing captures the gap between cost ($2.31/10K LOC) and value (92% detection). Client pays for finding quality, not compute time.

Next: Capstone 1 (bug bounty or appsec) or Capstone 2 (smart contract or cloud) — where the audit harness is applied to a full engagement.