Security/ smart-contracts · defi · security · ai

AI Auditor Knowdit Finds DeFi Bugs Humans Miss

A new agentic system built on historical audit reports caught every high-severity vulnerability in a benchmark of 11 DeFi projects — with zero false positives.

An AI system called Knowdit is finding real security holes in DeFi smart contracts that human auditors hadn't caught.

Researchers built Knowdit around a knowledge graph constructed from past human audit reports, mapping recurring vulnerability patterns to the underlying economic mechanics — what the team calls "DeFi semantics" — that make decentralized finance protocols tick. When pointed at a new project, a multi-agent pipeline runs an iterative loop: generate a specification, synthesize a proof-of-concept exploit, execute it, and reflect on the result. Tested against 11 recent Code4rena audit competitions covering 84 known vulnerabilities, Knowdit caught all 21 high-severity issues and 90% of medium-severity ones, with no false positives, fully covering eight of the eleven projects. Applied to seven live projects, it surfaced 9 previously unknown high-severity and 36 medium-severity vulnerabilities.

The result matters because smart contract auditing is expensive, slow, and incomplete — and the stakes are measured in protocol treasuries, not just code quality. By learning from the accumulated record of human audit work rather than starting from scratch, Knowdit represents a different approach than pure static analysis tools: it imports domain knowledge, not just pattern matching.

The obvious caveat is that benchmark performance and real-world deployment are different things — Code4rena contests attract competitive auditors and well-scoped codebases. Still, 9 novel high-severity finds across live projects is a harder result to wave away.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →