Introduction
Bitslab has developed a cutting-edge AI audit agent, BitsLabAI Scanner, specifically designed to analyze and protect Web3 applications. We recently tested this technology in the SuiDex public audit competition, achieving outstanding results. BitslabAI Scanner, utilizing its AI-driven scanner, outperformed most auditors in the competition and helped our team secure second place.
Background
The Web3 ecosystem is expanding at an astonishing pace, and smart contracts are becoming increasingly complex. While this innovation is exciting, it also brings significant security risks, especially in emerging ecosystems like Sui. Auditing smart contracts written in Move is a daunting task, as compared to the EVM world, it lacks sufficient historical vulnerability data and mature tools.
To address this critical security gap, Bitslab developed a cutting-edge AI agent, BitsLabAI Scanner, specifically for analyzing and protecting Web3 applications. We recently tested this technology in the SuiDex public audit competition, achieving outstanding results. BitslabAI Scanner leveraged its AI-powered scanner to outperform most auditors in the competition and helped our team secure second place. This demonstrates the powerful capability of BitsLabAI Scanner to discover critical security vulnerabilities that might otherwise be overlooked without AI assistance.
Why We Built a Security-First BitsLabAI Scanner
The world of on-chain security is undergoing a radical transformation driven by foundational AI. Although general-purpose large language models (LLMs) now possess the ability to perform preliminary analysis of smart contract code, they often lack the specialization and adversarial thinking required for rigorous security audits. These models are excellent assistants, but they are not auditors.
To bridge this crucial gap, we built a security-first multi-layered architecture—BitslabAI Scanner. It is not a single, monolithic model, but an integrated system where multiple specialized AI components work in concert. Each component is tailored to address specific challenges in smart contract security:
● Semantic Code Analysis: Understanding the intent and logic of the code, not just at the syntax level, but grasping the business purpose of the contract.
● Vulnerability Detection: Trained on large datasets of known vulnerabilities and anti-patterns, covering everything from reentrancy attacks to complex economic manipulation vectors.
● Attack Simulation: An advanced component attempts to autonomously generate and validate potential attack paths to confirm whether theoretical vulnerabilities can actually be exploited.
This integrated approach enables AI to discover complex logical flaws and hidden attack vectors that both general AI and manual audits can easily miss. By combining the speed and scale of AI with the precision of security experts, our framework achieves deeper and more comprehensive analysis, proactively safeguarding the next generation of Web3 applications.
From Concept to Practice: The True Power of BitslabAI Scanner
The strength of BitslabAI Scanner lies in its ability to break through the limitations of traditional static analysis. It does not simply check whether the code contains a list of known vulnerabilities, but simulates the thought process of a top security researcher. It analyzes not only what the code actually does, but also what the code could be forced to do. This includes understanding economic incentives, potential edge cases, and new attack methods that require adversarial thinking to uncover.
This deep, context-aware approach was the cornerstone of our success in the SuiDex audit. The AI did not just provide a list of potential issues, but output a set of prioritized actionable insights that directly guided audit experts to the most critical vulnerabilities. The following are the core capabilities supporting this analysis, illustrated with specific SuiDex cases:
● Automated Vulnerability Detection: Scans for both common and uncommon vulnerabilities in contracts, including reentrancy, integer overflow, access control issues, and precision errors.
● Contextual Understanding: Analyzes interactions between different modules within the contract and external calls, identifying logical flaws that may arise under complex dependencies.
● Precision and Accuracy: Minimizes false positives while ensuring high accuracy in identifying real risks.
● Scalability: Efficiently audits large and complex codebases, suitable for all types of blockchain projects.
Facing Challenges: Key Findings Surpassing Auditors in the SuiDex Audit Competition
In the AI-driven analysis of the SuiDex protocol, we achieved remarkable results, discovering multiple vulnerabilities that could threaten the platform's integrity and user funds. Ultimately, we identified 7 critical vulnerabilities and 3 high-risk vulnerabilities, demonstrating the depth of our analysis.
While the full list remains confidential, the following representative cases are sufficient to illustrate the AI's capabilities:
1. Key Finding: Incompatible Mathematical Systems in Core Arithmetic (SUIDEXCA-122)
● Issue: The protocol's fixed-point math library simultaneously used two incompatible mathematical systems. The logic layer performed calculations using binary decomposition (powers of 2), but the protocol's precision standard was based on decimal (powers of 10). Performing binary operations within a decimal framework is like mixing meters and feet in the same formula without conversion.
● Impact: All non-trivial multiplication and division operations inevitably produce unpredictable and incorrect results. This is a ticking time bomb that could completely undermine the reliability of the entire AMM, leading to significant financial discrepancies and loss of user trust.
This finding demonstrates the AI's ability to detect deep mathematical flaws, not just surface-level code vulnerabilities.
2. Key Finding: Incorrect Swap Logic Flag
● Issue: The critical function responsible for executing Token A → Token B swaps called an internal library to calculate the required input amount, but mistakenly passed in a hardcoded parameter, causing the library to believe it was executing the swap in the opposite direction (Token B → Token A).
● Impact: This minor error would cause the protocol to miscalculate the input amount for each transaction, resulting in unfair trading prices or outright transaction failures, severely undermining the core functionality of the DEX.
This finding showcases the AI's cross-function contextual analysis capability. It did not analyze a single function in isolation, but traced the complete execution path to identify critical logical contradictions.
3. High-Risk Finding: Infinite Token Minting Vulnerability (SUIDEXCA-30)
● Issue: The time calculation logic for reward tokens contained a subtle error, failing to properly enforce the issuance cap according to the preset 3-year schedule.
● Impact: The protocol would mint new tokens indefinitely, far exceeding the established timeline. This would completely destroy the project's tokenomics, trigger inflation, devastate token value, and violate commitments to the community.
This case demonstrates the AI's ability to analyze business logic and its long-term economic consequences, thereby safeguarding the financial integrity of the protocol.
Our detailed report was promptly shared with the SuiDex development team, who confirmed these findings and immediately took steps to address them.
More Than Second Place: The Value and Significance Behind BitslabAI Scanner
BitslabAI Scanner's outstanding performance in the SuiDex audit competition, ultimately winning second place and uncovering numerous critical and high-risk vulnerabilities, proves its advanced capabilities. This achievement not only validates BitslabAI Scanner's effectiveness in smart contract security audits but also further strengthens our commitment to building a decentralized security future.
As the blockchain ecosystem continues to expand, the demand for robust and efficient security solutions will only grow, and BitslabAI Scanner is ready to meet this challenge head-on, facing the future.
