"What are the three EVMbench scores and what does each measure?"	"(1) Detect recall: of 117 known vulns, how many found? (2) Patch quality: for each detected vuln, does the fix remove it AND preserve behavior? (3) Exploit success rate: for each detected vuln, did the harness build a working PoC on forked mainnet? All three measured independently."	c2a::s12::recall
"Why must all three EVMbench scores be reported together?"	"Reporting only Detect recall hides weaknesses in Patch and Exploit. A harness scoring 90% Detect / 30% Patch / 30% Exploit is a detection engine, not an audit harness. 80% across all three is a genuine audit tool. Each score measures a different capability."	c2a::s12::analysis
"What is the 92% vs 34% gap and what does it represent?"	"Purpose-built smart contract agents achieve ~92% detection on DeFi-specific vulnerability classes vs ~34% for GPT-5.1 (general LLM baseline). Nearly 3x — the difference between reliable and missing two-thirds of bugs. The gap is the quantified value of domain-specific tooling."	c2a::s12::recall
"What is the structural explanation for the 92% vs 34% gap?"	"DeFi classes (flash loans, oracles, rebase tokens, governance, liquidation) require domain knowledge general LLMs lack. Purpose-built agents embed it via 4 mechanisms: heuristic scaffolds (DeFi safety properties), tool integration (Slither/Mythril/Foundry), context engineering (function-level reorganization), cascaded verification (DeFi-specific FP filtering)."	c2a::s12::analysis
"How are EVMbench results used as a product differentiator?"	"Publishing '88% Detect / 72% Patch / 68% Exploit on EVMbench' is a falsifiable claim competitors can compare against. Converts 'trust us, we're good' into 'here is the scored evidence.' Makes audit quality legible to clients who cannot evaluate Solidity security themselves."	c2a::s12::application
"What is account confusion and why is it the signature Solana bug?"	"A Solana program accepts an account of the wrong type (e.g., token account instead of expected vault) because it doesn't verify the account's owner/type. Solana passes accounts explicitly into instructions (unlike EVM's type-bound addresses). Defense: Anchor's #[account] constraints and explicit owner checks — but missing them is common."	c2a::s12::analysis
"What is PDA misuse and why does it have no EVM equivalent?"	"Program-Derived Addresses are deterministic addresses controlled by the program. Misuse = mis-derivation, collision attack, or use without verifying seeds. No EVM equivalent because the EVM has no analogous deterministic-address-controlled-by-contract mechanism."	c2a::s12::recall
"What does the Anchor framework provide and what is its security footgun?"	"Provides: account validation macros (#[account], #[derive(Accounts)]), IDL generation, constraint system (has_one, constraint, address). Reduces account confusion when used correctly. Footgun: a #[derive(Accounts)] struct omitting a has_one constraint is a SILENT security gap."	c2a::s12::analysis
"What are the four Solana vulnerability classes?"	"(1) Account confusion (wrong account type accepted). (2) Missing signer check (privileged action without verifying caller signed). (3) Integer arithmetic errors (Rust defaults to checked, but unchecked blocks/casting introduce overflows). (4) PDA misuse (mis-derivation or collision)."	c2a::s12::recall
"Why is cross-chain bridge security a distinct discipline?"	"The vulnerability is in the cross-chain VERIFICATION PROTOCOL, not a single contract. How does Chain B know Chain A locked assets? Requires modeling the protocol as a distributed system across both chains, tracing asset flows, checking invariants (minted <= locked). Beyond single-contract auditing."	c2a::s12::analysis
"Name the common bridge verification failure modes."	"(1) Signature verification flaws (wrong signer set, replayable signatures). (2) Message-passing manipulation (forgeable message format). (3) Relayer centralization (single relayer can submit fraud). (4) Wrapped-asset accounting (minting more wrapped assets than locked collateral)."	c2a::s12::recall
"Name two major bridge exploits and their losses."	"Wormhole (2022, $325M) and Nomad (2022, $190M). Plus billions in aggregate losses across 2024-2025 bridge exploits. Bridges are the highest-value attack surface in crypto because compromising verification mints unbacked assets."	c2a::s12::recall
"What ports and what does NOT port when adapting the harness from EVM to Solana?"	"PORTS: the 3-mode architecture (Detect/Patch/Exploit), cascaded verification, invariant extraction strategy. Does NOT port: static tools (Slither/Mythril don't analyze Rust/Anchor — use Anchor constraint checking, custom Semgrep), exploit PoCs (use bankrun/solana-test-validator, not Foundry)."	c2a::s12::analysis
"What are the six sections of a client-ready audit report?"	"(1) Scope (contracts, commit hash, dates). (2) Methodology (manual review, static analysis, fuzzing, formal verification). (3) Findings table (ID, title, severity, status, location). (4) Severity breakdown (count by Critical/High/Medium/Low/Info). (5) Detailed findings (description, impact, PoC, recommendation, status). (6) Remediation roadmap."	c2a::s12::recall
"What are the five severity levels and their definitions?"	"Critical: funds at immediate risk, exploitable now. High: funds at risk under conditions (specific state/trigger). Medium: logic error without immediate financial impact. Low: best-practice violation, no direct risk. Informational: optimization or style suggestion, no security relevance."	c2a::s12::recall
"Why is the harness's severity a draft and the auditor's final?"	"Severity is the finding's most consequential attribute — drives remediation priority and client risk communication. The LLM triage assigns a draft severity, but every severity is human-confirmed before the report ships. A Medium that should be Critical misleads remediation priority. Human judgment is non-negotiable."	c2a::s12::application
"How does the report generator work?"	"Converts structured finding records (S11 cascaded-verification output) into the report format. Each detailed finding includes the PoC (from S11.3) and the recommendation/patch (from S11.4). The generator does the ASSEMBLY; the human auditor does the JUDGMENT (reviews, edits, confirms severity)."	c2a::s12::application
"What is the audit-as-product positioning?"	"The harness is the engine, the report is the product, the benchmark scores are the proof, the remediation support is the retention. Client pays for finding quality (92% detection), not compute time ($2.31/10K LOC). Pricing captures the gap between marginal cost and delivered value."	c2a::s12::analysis
"How does Detect recall differ from Exploit success rate on EVMbench?"	"Detect recall: can the harness FIND known bugs? (pattern identification). Exploit success rate: can the harness BUILD working PoCs that run on forked mainnet? (attack construction). A harness can detect a vuln it cannot exploit — identified the pattern but cannot construct the attack transaction. Exploit is harder."	c2a::s12::analysis
"Why is bridge auditing beyond single-contract analysis?"	"The security boundary is the verification protocol across two chains, not one contract. Must model the cross-chain message flow as a state machine, trace asset flows on both chains, and check that minted wrapped assets never exceed locked collateral. The attacker's target is the verification logic, which spans the distributed system."	c2a::s12::analysis
