Act III — The Hunt

Thirty-four detectors, at once.

The AST is in memory. The detectors fire in parallel — each a small program looking for one shape. Reentrancy. Access. Arithmetic. Oracle. External call. Signature. Storage. DoS. Two seconds of attention against twelve hundred lines.

Detectors34loaded

Families8classes

Workers8parallel

Average runtime2.1s

Surfaces this run7flagged

The cascade

Six beats. Two seconds.

Workers wake, families load, detectors fan out across the AST. The radar is the metaphor; the chips are the work. Each beat is a moment in the same scan — slowed enough to be readable, fast enough to be honest.

SCAN ACTIVE RUNNING · 0 / 34

Active detector

DET-0x07 Running

Reentrancy guard

├─ external call
├─ state mutation
└─ guard check

scanning · 28%

+000ms[w0]engine.start · 8 workers +012ms[w0]ast.map · 3,841 nodes +128ms[w1]family.load · reentrancy ×4 +140ms[w2]family.load · access ×5 +148ms[w3]family.load · arithmetic ×4 +162ms[w4]family.load · oracle ×4 +340ms[w5]fan_out · external_call ×5 +412ms[w6]fan_out · signature ×4 +498ms[w7]fan_out · storage ×4 · dos ×4 +812ms[w1]RE-01 · withdraw():184 · state-after-call · HIT +884ms[w2]ACC-02 · transferOwnership():92 · no-modifier · HIT +941ms[w5]EXT-03 · claim():214 · unchecked-return · HIT +1,212ms[w3]AR-01 · mint():148 · uint128-trunc · HIT +1,388ms[w1]RE-04 · balanceOf():67 · readonly-reentrancy · HIT +1,440ms[w0]correlate · withdraw + balanceOf · same storage slot +1,902ms[w0]severity.assign · 1 critical · 3 high · 1 med · 1 low · 1 info +2,074ms[w0]scan.complete · 34 / 34 +2,098ms[w0]handoff · findings.report

The catalog

Six of the thirty-four. Each one fits in a card.

A detector is small by design — it watches for one shape, in one node-kind, and stops. Its smallness is what lets thirty-four of them run in parallel and still finish before you've finished reading this sentence.

DET-0x01Complete

Reentrancy · classic

├─ external call
├─ state write after
└─ no guard

SWC-107 · 1 hit · withdraw():184

DET-0x02Complete

Reentrancy · readonly

├─ view fn called mid-call
├─ stale storage read
└─ price/balance leak

SWC-130 · 1 hit · balanceOf():67

DET-0x07Complete

Privileged write

├─ state-changing fn
├─ no modifier
└─ no msg.sender check

SWC-105 · 1 hit · transferOwnership():92

DET-0x0EComplete

Unchecked low-call

├─ .call(...)
├─ no require on success
└─ silent failure path

SWC-104 · 1 hit · claim():214

DET-0x12Complete

Integer truncation

├─ uint256 → uint128
├─ no bounds check
└─ value-loss path

SWC-101 · 1 hit · mint():148

DET-0x21Complete

Oracle · stale price

├─ updatedAt read
├─ no freshness check
└─ unchecked answer

no hit · representative

How it runs

One pass. Six honest beats.

The scan is not magic — it is a small, well-ordered set of moves the engine makes against a parsed AST in shared memory. Each beat owes a piece of evidence to the next. The whole journey takes about two seconds.

Engine warm.

Eight worker threads come up. The detector registry is loaded and indexed by node-kind. The AST is mapped into shared memory, read-only.

+0msstart

Families load.

Eight detector families register their predicates. Each predicate is a tiny pattern over one node-kind — function, call, assignment, modifier — never the whole tree.

+120msload

Detectors fan out.

Thirty-four detectors fan onto eight workers, scheduled by expected cost. The AST is walked once per worker; predicates fire as nodes pass.

+340msfan-out

First hit.

A detector that fires keeps the offending node, the path that reached it, and a confidence score. No early reporting — every hit waits for the cross-correlate step.

+810msfirst hit

Cross-correlate.

Hits are grouped by storage slot, by call-graph proximity, by detector-pair affinity. A read-after-write on the same slot turns a low into a high; an external call into a contract you also touch turns a high into a critical.

+1,440mscorrelate

Settle.

Severity is assigned, evidence is sealed, the report is handed to the findings layer. The engine releases the AST and goes idle. The whole pass took two-point-one seconds.

+2,100mssettle

Next · Act IV

Proof. Each finding, with a runnable exploit.

See the findings