BitsLab has developed a cutting-edge AI auditing agent, the BitsLabAI Scanner, designed specifically to analyze and protect Web3 applications. We recently tested this technology in the SuiDex public audit competition, and the results were outstanding. Powered by its AI-driven scanning capabilities, BitsLabAI Scanner outperformed most audit participants, helping our team secure second place.

Introduction

The Web3 landscape is expanding at a breakneck pace, with smart contracts growing ever more complex. While this innovation is exciting, it also introduces significant security risks, especially in emerging ecosystems like Sui. Auditing smart contracts written in Move is a formidable challenge due to the relative scarcity of historical vulnerability data and mature tooling compared to the EVM world.

To address this critical security gap, Bitslab has developed a cutting-edge AI framework engineered to analyze and secure Web3 applications. We recently put our technology to the test in the public SuiDex Audit Contest, and the results were exceptional. BitsLabAI Scanner played a crucial role in helping our team secure 2nd place, demonstrating its exceptional capability to identify critical security flaws that might otherwise go unnoticed.

Why We Built BitsLabAI Scanner With a Security-First Approach

The world of on-chain security is undergoing a radical transformation, driven by advancements in foundational AI. While general-purpose Large Language Models (LLMs) now possess the ability to perform a preliminary analysis of smart contract code, they often lack the specialized, adversarial mindset required for rigorous security auditing. These models are great assistants, but they are not auditors.

Recognizing this critical gap, we engineered BitsLabAI Scanner with a multi-layered, security-first architecture. It is not a single, monolithic model but an integrated system where specialized AI components work in concert. Each component is purpose-built to solve a specific challenge in smart contract security:

Semantic Code Analysis: One layer focuses on understanding the intent and logic of the code, moving beyond simple syntax to grasp the business purpose of the contract.

Vulnerability Detection: Other layers are trained specifically on vast datasets of known exploits and anti-patterns, from reentrancy to complex economic manipulation vectors.

Exploit Simulation: An advanced component attempts to autonomously generate and validate potential exploit paths, confirming whether a theoretical vulnerability is practically achievable.

This integrated approach allows our AI to identify intricate logical flaws and subtle attack vectors that both general-purpose AIs and manual audits can easily miss. By combining the speed and scale of AI with the focused precision of a security expert, our framework provides a deeper, more comprehensive analysis, proactively safeguarding the next generation of Web3 applications.

From Concept to Practice: The True Power of BitsLabAI Scanner

The capability of BitsLabAI Scanner lies in its departure from traditional static analysis. Instead of simply checking code against a predefined list of bugs, our framework is designed to emulate the cognitive process of an elite security researcher. It analyzes code not just for what it does, but for what it could be forced to do. This involves understanding the economic incentives, potential edge cases, and the adversarial mindset required to uncover truly novel exploits that go beyond common patterns.

This deep, context-aware approach was the cornerstone of our success in the SuiDex audit. The AI didn’t just provide a list of potential issues; it delivered a prioritized set of actionable insights that guided our expert auditors directly to the most critical flaws. Below, we break down the core capabilities that powered this analysis, each illustrated with a specific finding from the SuiDex protocol.

Automated Vulnerability Detection: The AI automatically scans smart contracts for common and uncommon vulnerabilities, including reentrancy, integer overflows, access control issues, and precision errors.

Contextual Understanding: It analyzes the interactions between different parts of the smart contract and external calls to identify logical flaws that might arise from complex dependencies.

Precision and Accuracy: Our model minimizes false positives while ensuring high accuracy in identifying genuine security risks.
Scalability: BitsLabAI Scanner can efficiently audit large and complex codebases, making it suitable for a wide range of blockchain projects.
Facing the Challenge: Key Discoveries That Enabled BitsLabAI Scanner to Outperform Humans in the SuiDex Audit Competition

Our AI-driven analysis of the SuiDex protocol was incredibly effective, identifying numerous vulnerabilities that could have jeopardized the platform’s integrity and user funds. In total, our process flagged 7 critical and 3 high-severity issues, demonstrating a profound depth of analysis.

While the complete list remains confidential, we can highlight a few representative findings. These examples demonstrate the AI’s ability to detect a wide range of issues—from deep, architectural flaws in foundational mathematics to subtle yet catastrophic bugs in business logic.

1. Critical Finding: Incompatible Mathematical Systems in Core Arithmetic (SUIDEXCA-122)
   This was a fundamental architectural flaw discovered by our AI in the protocol’s fixed-point math library.

The Problem: The core arithmetic functions were built on two conflicting mathematical systems. The logic used binary decomposition (splitting numbers by powers of 2) for its calculations, but the protocol’s precision standard was based on a decimal system (a power of 10). Performing binary operations within a decimal-based framework is like mixing meters and feet in the same equation without conversion.

The Impact: This incompatibility guaranteed that all non-trivial multiplication and division operations would produce unpredictable and incorrect results. It was a ticking time bomb that would have compromised the reliability of the entire AMM, resulting in significant financial discrepancies and a loss of user trust.

This finding highlights the AI’s capacity to detect complex mathematical flaws, going far beyond surface-level bug checks to question the very mathematical assumptions a protocol is built on.

2. Critical Finding: Incorrect Swap Logic Flag
   This vulnerability was a classic logic error with severe consequences, pinpointed by the AI’s contextual analysis.

The Problem: A key function responsible for executing a swap from Token A to Token B was calling an internal library to calculate the required input amount. However, it used a hardcoded parameter that incorrectly instructed the library to perform the opposite swap (Token B to Token A).

The Impact: This seemingly small error would cause the protocol to miscalculate the required input for every trade using this function. This would lead to transactions executing at incorrect and unfair prices or failing altogether, undermining the core functionality of the DEX.

This showcases the AI’s proficiency in cross-functional contextual analysis. It didn’t just analyze the function in isolation; it traced the entire execution path to identify a critical contradiction in the logic.

3. High-Severity Finding: Infinite Token Emissions Bug (SUIDEXCA-30)
   This finding demonstrates the AI’s ability to model the long-term economic consequences of a subtle code flaw.

The Problem: A minor error in the time-keeping logic that calculated token rewards failed to properly cap the emissions according to the planned 3-year schedule.

The Impact: This flaw would have caused the protocol to mint new tokens indefinitely beyond its intended timeline. This would disrupt the project’s entire tokenomic model, leading to hyperinflation and undermining the token’s value, as well as violating the commitments made to its community.
This demonstrates the AI’s ability to analyze business logic and its long-term economic implications, safeguarding the financial integrity of the protocol.

Our detailed report was promptly shared with the SuiDex development team, who acknowledged the findings and took immediate action to remediate the issues.
More Than Second Place: The Value and Significance Behind BitsLabAI Scanner

BitsLabAI Scanner’s impressive performance in the SuiDex Audit Contest, securing 2nd place and identifying a significant number of critical and high-severity vulnerabilities, serves as a testament to its advanced capabilities. This achievement not only validates the effectiveness of the BitsLabAI Scanner model in smart contract security auditing but also reinforces our commitment to building a more secure, decentralized future. As the blockchain ecosystem continues to expand, the demand for robust and efficient security solutions will only grow, and the BitsLabAI Scanner model is poised to meet this challenge head-on.