The log.
Security notes, post-mortems, and observations from the audit floor.
Governance Attacks: From Flash Loans to Key Compromise
On-chain governance is a target. Flash-borrowed voting power, quorum manipulation, timelock bypasses, and guardian key compromise are not theoretical — they have all been used in production exploits.
OWASP Smart Contract Top 10: The Most Critical Vulnerability Classes
The OWASP Smart Contract Top 10 catalogs the vulnerability classes most likely to cause material harm. Each category represents a pattern of failures that has appeared repeatedly across production protocols.
Liquidation Cascade Risk in Lending Protocols
A liquidation system that works under normal market conditions can become the mechanism of a protocol's destruction under stress. Bad debt accumulation, cascade mechanics, and the design choices that determine which outcome you get.
False Positives in LLM Auditing: Why 20-40% Noise Makes Raw AI Output Unusable
An AI tool that flags everything is not a security tool — it is a noise generator. Understanding why LLMs produce false positives at high rates, and how to filter them, determines whether AI assistance accelerates an audit or slows it down.
Prompt Engineering for Smart Contract Security: Getting Useful Output from LLMs
The quality of LLM security analysis is almost entirely determined by the prompt. Vague prompts produce vague findings. Structured prompts with specific vulnerability targets, context constraints, and output format requirements produce actionable ones.
Fine-Tuned Models vs Zero-Shot: What the Benchmarks Actually Show
Fine-tuned security models outperform zero-shot on the benchmarks they were trained to pass. Whether those benchmarks reflect real audit performance is a different question — and the answer is more complicated than the leaderboards suggest.
AI Agents for Continuous Smart Contract Monitoring: Architecture and Limitations
An AI monitoring agent that interprets on-chain anomalies in context is more useful than a rule-based alert system — and significantly harder to build reliably. The architecture, latency constraints, and false positive management are non-trivial.
RAG for Smart Contract Auditing: Building a Vulnerability Knowledge Base
A language model that can retrieve relevant past vulnerabilities before analyzing new code finds more than one that relies on training data alone. Building that retrieval pipeline — and keeping it current — is where the real work is.
Hybrid Auditing Pipelines: Where AI Stops and the Human Starts
The most effective use of AI in auditing is not replacing human review — it is handling the work that does not require human judgment so that human attention can focus on the work that does. Drawing that boundary correctly determines whether the pipeline finds more bugs or just generates more noise.
Solana Security: CPI, Signer Verification, and Account Confusion
The Solana account model is not the EVM. Missing a signer check, using the wrong owner, or invoking an untrusted program are distinct vulnerability classes with no direct EVM equivalent. Each requires a different mental model.