An AI system called Knowdit is finding real security holes in DeFi smart contracts that human auditors hadn't caught.
Researchers built Knowdit around a knowledge graph constructed from past human audit reports, mapping recurring vulnerability patterns to the underlying economic mechanics — what the team calls "DeFi semantics" — that make decentralized finance protocols tick. When pointed at a new project, a multi-agent pipeline runs an iterative loop: generate a specification, synthesize a proof-of-concept exploit, execute it, and reflect on the result. Tested against 11 recent Code4rena audit competitions covering 84 known vulnerabilities, Knowdit caught all 21 high-severity issues and 90% of medium-severity ones, with no false positives, fully covering eight of the eleven projects. Applied to seven live projects, it surfaced 9 previously unknown high-severity and 36 medium-severity vulnerabilities.
The result matters because smart contract auditing is expensive, slow, and incomplete — and the stakes are measured in protocol treasuries, not just code quality. By learning from the accumulated record of human audit work rather than starting from scratch, Knowdit represents a different approach than pure static analysis tools: it imports domain knowledge, not just pattern matching.
The obvious caveat is that benchmark performance and real-world deployment are different things — Code4rena contests attract competitive auditors and well-scoped codebases. Still, 9 novel high-severity finds across live projects is a harder result to wave away.