Full Report
This blog posts delves into the results of an autonomous Solidity auditor called "V12". It has a UI and makes it easy to interact with via a website. According to them, it performs at or exceeds the level of junior auditors at some firms. It can find many basic programming mistakes, some even missed by various companies. It will integrate with C4, Zellic/Zenith audits, a standalone application and a GitHub Action. The mission is sane - security is a continuous battle, not a commit hash in time, and products/services should reflect this. Naturally, this doesn't replace an auditing company but it can help the service team in the long term. Finding even simple issues, like access control vulnerabilities, improving the security as a whole. I appreciate that they include an Evaluation section for bugs they have found. They show several vulnerabilities from previous hacks, such as the 1Inch bug, MonoX hack and a couple of others. The 1Inch bug is slightly deceptive - this was more-so caused by a scoping issue and actually had been found by auditors. The tool has competed in several live Cantina/HackenProof auditing contests. I find these most impressive, since their was no "taint" potential on the model. These are unique vulnerabilities that others found in a contest. They also list several historical contests, which could potentially be tainted in the data set. For proper evaluation, the training and test sets must be completely unique. On the other contests they list, they claim V12 found enough bugs that it would have placed well in the competition. 2 out of 2 highs and 4 out of 6 issues are highlights from this section. I'm slightly skeptical about this; was their some tainting of the training data set vs. the testing data set? If this was true then how come it didn't perform as well on live contests it posted? They also use this on their live audits. Many of the bugs are fairly simple, such as access control issues, reentrancy and bad error handling. They even mention this themselves, which is an interesting analysis. All of these are great things that would work great in a CI setting and as an assistant to a security researcher. As LLMs get better, I think that the vulnerabilities will become harder and harder to discreetly find but also more valuable. Their perspective on who should use the tool is wise. V12 can enhance the capabilities of a great researcher but should only be used at the end. It's more of an additional layer of assurance and a source of inspiration than anything else. To inexperienced researchers, it's mostly a crutch. I'm curious to see how this plays out.
Analysis Summary
# Tool/Technique: V12
## Overview
V12 is an **autonomous Solidity auditor** that utilizes a combination of **AI and LLMs with traditional static analysis techniques** to find critical bugs in smart contracts. It is designed to integrate into continuous security workflows, offering an easy-to-use UI via a website, a standalone application, and integrations with CI/CD tools (like a GitHub Action). Its goal is to provide ongoing assurance, particularly for teams needing quick or incremental security reviews, positioning itself as an assistant to researchers or an enhanced layer of assurance, rather than a replacement for high-quality human audits.
## Technical Details
- Type: Tool (Security Auditing Software)
- Platform: Primarily targets **Solidity** smart contracts today; future support planned for other languages like **Rust on Solana (L1s)**.
- Capabilities: Automated bug finding, detailed report generation (Markdown, JSON, PDF), UI for review, and integration into existing security pipelines.
- First Seen: The associated article was published on **September 25, 2025** (based on the article date).
## MITRE ATT&CK Mapping
As V12 is a defensive/auditing tool used to *identify* vulnerabilities and not an offensive tool, direct offensive ATT&CK mappings are not applicable. However, the *vulnerabilities it is designed to find* map to the following high-level categories:
- **TA0001 - Initial Access** (If the identified vulnerability leads to unauthorized entry)
- **TA0004 - Privilege Escalation** (If the identified vulnerability allows unauthorized elevation of rights)
- **TA0005 - Defense Evasion** (If the vulnerability bypasses security controls)
- **ATT&CK for Cloud** perspective on Application Software:
- **T1462 - Exploitation for Privilege Escalation** (Relevant if access control is the issue exploited)
- **T1470 - Injection** (Relevant if reentrancy or improper input handling leads to control flow manipulation)
*Note: Specific technique mapping is limited as V12 targets source code flaws, not post-exploitation behaviors.*
## Functionality
### Core Capabilities
- **Automated Vulnerability Scanning:** Performs static analysis and LLM-assisted evaluation on Solidity code.
- **Bug Classification:** Finds basic programming mistakes including access control vulnerabilities, reentrancy issues, and bad error handling.
- **Performance Benchmarks:** Claims to perform at or exceed the level of junior auditors and has competed in live auditing contests (Cantina/HackenProof).
- **Integration Support:** Designed for integration via web UI, standalone app, and GitHub Action for CI/CD environments.
### Advanced Features
- **Workflow Integration:** Features a UI workflow similar to Linear or GitHub Issues for reviewing findings.
- **Historical Bug Reproduction:** Demonstrates capability by finding issues present in past high-profile hacks, such as the **1Inch bug** (though noted as a scoping issue found by previous auditors) and the **MonoX hack**.
- **Continuous Security:** Focuses on providing security checks for every pull request rather than just point-in-time audits.
## Indicators of Compromise
*Finding specific IOCs for a defensive auditing tool is not relevant. The following section relates to the *vulnerabilities* V12 helps find, which may result in offensive IOCs if successfully exploited.*
- File Hashes: N/A (Tool, not malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A (Tool execution exhibits normal file scanning/analysis behavior)
## Associated Threat Actors
V12 is a **defensive, security auditing tool** developed by Zellic. Thus, it is not associated with threat actors engaging in malicious activity. Its use is intended to *prevent* exploitation by malicious actors.
## Detection Methods
Detection methods relate to monitoring the *use* of the tool or detecting the *vulnerabilities* it reports on:
- **Signature-based detection:** N/A for tool usage unless specific executables are known.
- **Behavioral detection:** Monitoring CI/CD pipelines or developer environments for execution of external, non-standard security scanners or LLM-backed code analysis tools that interact with source repositories.
- **YARA rules:** Applicable if V12 generates specific output files or executables associated with its deployment environments, but not for the tool itself based on the context provided.
## Mitigation Strategies
Mitigation strategies focus on *responsible usage* of the tool and *remediation* of identified issues:
- **Continuous Review:** Implement V12 or similar tools in the CI pipeline as an early assurance layer.
- **Human Oversight:** Do not rely solely on V12; ensure high-quality, professional audits are conducted by trusted firms, especially before major deployments.
- **Vulnerability Remediation:** Address identified flaws—especially basic ones like access control and reentrancy—immediately using findings from V12 as prioritized tickets.
- **Data Integrity:** Be mindful of potential "tainting" of training data sets when evaluating contest performance; ensure development/testing sets remain unique.
## Related Tools/Techniques
- **Traditional Static Analysis Security Testing (SAST) Tools:** Existing software vulnerability scanners.
- **LLMs for Code Analysis:** Other large language models adapted for security tasks.
- **Manual Smart Contract Audits:** The gold standard that V12 aims to augment.
- **Dynamic Analysis Security Testing (DAST) Tools:** (Complementary testing methods).