Skip to main content

How It Works

This page walks through the analysis pipeline end to end. For positioning, benchmarks, and what to expect in the report, read What is AuditAgent.

What the agent receives

Before each scan you select three things.

The codebase. A repository, a branch, and the contract files you want analyzed. See Which ecosystems we support for the supported languages. Up to 100 contracts and 12,000 BLoC per scan.

Documentation. READMEs from the repo, public URLs, PDF/MD/MDX uploads, and free-form notes. The agent reads all of it and folds it into its working context.

Clarifying answers. Optional answers to six structured prompts about deployment chains, trust assumptions, and design choices. See Additional Questions for the full list.

The richer the context, the better the output. Documentation is how the agent disambiguates intent. A function called transfer could be ERC-20, ERC-721, or a custom escrow withdrawal. Tell the agent which one it is and you get fewer false positives.

What runs during a scan

Multiple large language models analyze your contracts in coordination. The exact pipeline depends on the tier you pick.

Developer Scan. 1x compute, lightweight models, up to 1 hour. Designed to fit a code review or pre-PR loop.

Auditor Scan. 5x compute, the most expensive models, up to 5 hours. It adds three things the Developer Scan does not have.

  • Multi-Agent System. Specialised agents working in coordination.
  • Attacker Model. The same code re-read from a hostile perspective.
  • Internet Search. Live context on known vulnerabilities and protocol patterns.

These three extras are why the Auditor Scan has materially higher recall on harder findings. The Difficulty Benchmark page has the per-tier numbers.

Persistent Memory in the pipeline

If you have initialised Persistent Memory for a project, every scan after that runs against the accumulated context: architecture, invariants, hypotheses, and contradictions from prior scans. Subsequent scans propose updates to the memory, which you review before they persist. Without memory, every scan starts from a blank slate.

What the agent does not see

  • Code outside the files you select in Developer scan. Scope is explicit.
  • Production state, balances, or on-chain context, unless you describe it in documentation.
  • External dependencies in Developer scan, or if we can't install them in Auditor scan.

This matters when you are triaging false positives. If a finding looks wrong, the first question to ask is whether the agent actually understood what the function does in your protocol. If it did not, add better documentation and rescan.

What you get back

The scan produces findings, a code summary and architecture diagram, generated invariants, a 0 to 100 security score, an AI Chat surface per finding, and an email with the audit report PDF attached. See What you get back for the full breakdown.