AuditAgent Helps Gearbox Protocol Uncover Minor Issues in a Heavily Audited Codebase.

‍

‍

‍

Background

‍

Gearbox Protocol, a leader in decentralized finance (DeFi), embarked on a security assessment of its core contracts, comprising approximately 8,000 lines of code (LOC) with multiple dependencies. With a history of seven human audits and over $3 million invested in security, the protocol sought to evaluate the efficacy of AI-driven security tools, specifically AuditAgent by Nethermind and another competitor tool, in identifying potential vulnerabilities in a protocol with over $300M Total Value Locked and $9.41B in total transaction volume.

‍

"Tools like AuditAgent can be invaluable for developers identifying bugs before audits or bug bounties. They also help uncover assumptions in your codebase and serve as a good starting point for further security research. We managed to fix two minor issues in our repository, which is a significant achievement considering the codebase had already undergone seven audits."
‍0xmikko, Gearbox Founder

‍

‍

‍

Objective

‍

The primary goal was to determine whether Nethermind’s AuditAgent could complement or enhance traditional security audits, particularly in a real-world codebase that had been live for three years without incident.

‍

‍

‍

Methodology

‍

Gearbox tested AuditAgent on its core contracts, comparing the results against previous human audits. The evaluation focused on the tool's ability to identify issues, the quality of reports generated, and its integration potential within continuous integration/continuous deployment (CI/CD) pipelines.

‍

‍

‍

Results

‍

• Speed and Efficiency: AuditAgent delivered a report in just 20 minutes, which is quick in comparison to other AI-powered audit tools. This rapid turnaround is crucial for integrating security checks into development cycles.
• Issue Identification: The tool identified 26 potential issues. While findings included minor inaccuracies, hallucinations, and false positives, the overall quality of the reports was impressive for an AI-powered tool designed to speed up security workflows.
• Report Quality: The 37-page report provided clear descriptions and reasoning for each potential issue, making it a valuable resource for further analysis and remediation.
• Integration and Usability: AuditAgent proved to be useful for CI/CD processes, integrating into pipelines during GitHub branch merges. Its ability to understand business logic better than other tools, with fewer hypotheses, was a plus.
• Impact: Notably, AuditAgent helped identify two minor issues that had eluded previous human audits, demonstrating its potential to offer fresh perspectives on well-audited codebases. This capability is particularly beneficial for fixing small bugs before initiating bug bounty programs or additional audits.

‍

‍

‍

Key Takeaways

‍

• Complementary Role: AuditAgent is designed to complement human auditors — surfacing assumptions and offering a fresh perspective on the codebase, making it a strong starting point for deeper security research.”
• Efficiency and Insight: The tool's speed and depth of analysis make it an invaluable asset for ongoing security work, especially in dynamic development environments.
• Cost-Effectiveness: By identifying issues that might otherwise require extensive human effort, AuditAgent offers a cost-effective solution for maintaining security protocols.

‍

‍

‍

Conclusion

‍

Gearbox Protocol’s experience with AuditAgent suggests it may be a helpful addition to the smart contract security toolkit. Even within the context of a codebase that had already undergone extensive auditing, AuditAgent identified areas of interest and provided useful insights. While no tool is a silver bullet, its speed and integrative approach point to its potential utility—especially as the DeFi landscape continues to evolve and demand scalable security solutions