TLDR
- Traditional audits create false security; next commit reintroduces vulnerabilities unchecked.
- AuditHub catches critical bugs during development when fixes take minutes.
- Describe intended behavior, not bug signatures, to detect unknown exploits.
- CI/CD integration runs security checks immediately through existing development pipelines.
- Formal methods prove bug absence with guarantees AI tools cannot provide.
- Orca fuzzer uses declarative specifications, no custom harness code required.
Web3 security has been reactive for too long. Teams wait for incidents, scramble to identify root causes, and pray their protocol survives the exploit. But what if you could identify critical vulnerabilities before they become zero-day exploits?
This article draws insights from our recent AMA, where Veridise CEO Jon Stephens, CTO Kostas Ferles, and VP of Product Nikos Chondros revealed how AuditHub transforms Web3 security from reactive incident response to proactive vulnerability prevention.
The paradigm shift: continuous security
Traditional audits create a dangerous illusion. You send code for review, wait weeks for a PDF, fix issues, and deploy. But what happens with your next commit? “Your commits as you develop require as much attention as onchain transactions,” Kostas explained. “AuditHub lets you set automated checks that run whenever you choose.”
Teams using AuditHub catch critical bugs during development, when fixes take minutes instead of days. They deploy with mathematical certainty about specific vulnerability classes.
Detecting unknown vulnerabilities through behavior
How can you find vulnerabilities you don’t know exist? The answer lies in describing intended behavior rather than cataloging known bugs.
“The customizations aren’t tailored to bugs,” Kostas clarified. “They’re tailored to describing intended behavior. You have a vault and want to ensure nobody can steal funds. There are mechanisms to describe that.” Once specified, the Orca fuzzer generates millions of test cases checking whether security properties hold.
This approach catches zero-day exploits because it tests behavior, not bug signatures. When RISC Zero integrated Picus into their zkVM workflow, they achieved continuous verification catching underconstrained bugs the moment they’re introduced.
Cross-protocol complexity and CI/CD integration
AuditHub handles complex interactions by analyzing multiple protocols together or reasoning conservatively about external dependencies. When control flow exits your contracts, AuditHub assumes worst-case external behavior and tests whether your protocol maintains security properties.
Command-line tools push code to AuditHub, run security checks, and raise alerts immediately through existing pipelines. Quick static analysis runs on every push in seconds. Fuzzing campaigns launch before PR merges.
Runtime performance exceeds expectations. Picus analyzes a Keccak circuit in 1 to 2 minutes. Vanguard completes in seconds to minutes. The tools have been battle-tested on production systems from custom protocols to complete zkVMs.
Formal methods versus probabilistic tools
“Our tools come with security guarantees,” Kostas emphasized. “If the tool says there’s no bug, your codebase doesn’t exhibit that bug. AI tools cannot have such guarantees because they’re inherently probabilistic.”
Finding bugs is not the same as proving security. When Vanguard runs a detector and raises nothing, that bug class is absent. When Picus verifies determinism, non-determinism issues don’t exist. This certainty becomes essential when launching protocols managing millions in TVL.
Temporal properties with Orca
Traditional fuzzers require extensive test harness code. Orca takes a declarative approach. “You don’t introduce fuzzer-specific logic,” Kostas noted. “All Orca needs is a deployment script and specifications using our V language.”
Orca inherently supports how blockchain systems actually work. Describe temporal properties and the fuzzer explores state space intelligently, varying both inputs and interaction patterns.
Ready to shift from reactive to proactive security?
Book a Demo → See how continuous security catches vulnerabilities before deployment
Explore Documentation → Learn how to integrate AuditHub into your development workflow
