azizn9670/solmiko-audit

# SolMiKo Audit **AI-powered smart contract security auditor built on MiMo models.** SolMiKo Audit uses multi-step reasoning with MiMo-V2.5-Pro to detect vulnerabilities in Solidity smart contracts. Unlike pattern-matching tools (Slither, Mythril), SolMiKo performs deep semantic analysis — understanding contract intent, tracing execution paths, and identifying complex attack vectors that static analyzers miss. ## Why SolMiKo? | Feature | Slither/Mythril | SolMiKo Audit | |---|---|---| | Pattern matching | ✅ | ✅ | | Semantic understanding | ❌ | ✅ (MiMo reasoning) | | Multi-contract analysis | Limited | ✅ Cross-contract tracing | | Novel attack vectors | ❌ | ✅ (0-day detection) | | Plain-English reports | ❌ | ✅ | | Gas optimization | Basic | ✅ AI-suggested refactors | ## Architecture ┌─────────────────────────────────────────────────────────┐ │ Orchestrator │ │ (async pipeline manager) │ ├─────────┬──────────┬──────────┬──────────┬──────────────┤ │ Parser │ Static │ Semantic │ Economic │ Report │ │ Agent │ Analyzer │ Analyzer │ Analyzer │ Generator │ │ (MiMo) │ (Slither │ (MiMo │ (MiMo │ (MiMo │ │ │ rules) │ V2.5) │ V2.5) │ V2.5-Pro) │ └─────────┴──────────┴──────────┴──────────┴──────────────┘ │ │ │ │ │ └──────────┴───────────┴──────────┴───────────┘ │ ┌──────┴──────┐ │ FastAPI │ │ REST API │ └─────────────┘ ### Agents 1. **Parser Agent** (MiMo-V2.5) — Parses Solidity source, extracts AST, identifies contract structure, inheritance, state variables, modifiers, and function signatures. 2. **Static Analyzer** — Rule-based checks (reentrancy patterns, unchecked calls, tx.origin usage, floating pragma, unsafe math). Feeds findings to semantic analyzer for context. 3. **Semantic Analyzer** (MiMo-V2.5-Pro) — Deep reasoning about contract logic. Understands intent vs implementation. Detects: - Reentrancy (cross-function, cross-contract) - Access control flaws (missing modifiers, wrong visibility) - Integer overflow/underflow (pre-0.8.0) - Flash loan attack vectors - Oracle manipulation possibilities - Front-running vulnerabilities - Logic bugs (wrong comparison, off-by-one, state confusion) 4. **Economic Analyzer** (MiMo-V2.5-Pro) — Token economics analysis: - Unbounded minting risk - Fee manipulation vectors - LP drain scenarios - Governance attack surfaces - MEV extraction opportunities 5. **Report Generator** (MiMo-V2.5-Pro) — Combines all findings into structured report with severity ratings (Critical/High/Medium/Low/Informational), proof-of-concept attack scenarios, and recommended fixes. ### Token Usage - Small contract (~200 lines): ~150K tokens per audit - Medium contract (~500 lines): ~400K tokens per audit - Complex DeFi protocol (~2000 lines): ~1.5M tokens per audit - At 100 audits/day: ~60M tokens/day → needs MiMo Max plan ## Quick Start # Install pip install -r requirements.txt # Audit a contract file python -m solmiko audit contracts/Token.sol # Audit a verified contract on Etherscan python -m solmiko audit --etherscan 0x1234...abcd --chain ethereum # Audit with specific severity filter python -m solmiko audit contracts/Vault.sol --min-severity high # Start API server uvicorn api.main:app --host 0.0.0.0 --port 8000 ## API Usage # Audit via API curl -X POST http://localhost:8000/api/v1/audit -H "Content-Type: application/json" -d '{"source": "pragma solidity ^0.8.0;\ncontract Token { ... }"}' # Response { "audit_id": "aud_20260521_001", "contract": "Token", "findings": [ { "id": "SMK-001", "severity": "critical", "title": "Reentrancy in withdraw()", "description": "External call to msg.sender before state update...", "location": {"file": "Token.sol", "line": 45}, "proof_of_concept": "Attack contract calls withdraw() in receive()...", "recommendation": "Use ReentrancyGuard or checks-effects-interactions pattern", "confidence": 0.95 } ], "gas_optimizations": [...], "overall_risk": "high", "token_usage": {"input": 45000, "output": 12000} } ## Supported Chains - Ethereum (mainnet, Goerli, Sepolia) - BNB Smart Chain - Polygon - Arbitrum - Optimism - Base - Any EVM-compatible chain (via custom RPC) ## Tech Stack - **Python 3.11+** with async/await - **MiMo-V2.5 / MiMo-V2.5-Pro** for AI reasoning (via 9router) - **FastAPI** for REST API - **web3.py** for on-chain contract fetching - **Slither** integration for static analysis baseline - **Solidity parser** (solc-select) for AST extraction ## License MIT