chrispyroberts
51 posts

chrispyroberts
@chrispyprojects
Building AI Bug Hunters @ Cantina, Computational Physics @ CMU



🚨Ethereum Developers: you can now install your first AI Auditor in 1 minute - fully autonomous, available 24/7, with multiple sub-agent helpers. Open Source. FREE to use (with your AI model) and already finding vulnerabilities in smart contracts. Link below🫡








I think it’s very hard to defend that Web3/Blockchain Security Audits are not solved by Autonomous AI Bug Hunters like Cantina’s Apex. Not only are we #1 on the HackerOne US business leaderboard, but we also (a very small team) used Apex to farm nearly $1M in bounties in the span of a few months, abusing the free money machine while competition was scarce. We took every scan we’ve ever run (1500+) and looked carefully at the data and found some interesting trends we think are worth sharing with everyone. 1. # of valid bugs scales log-linearly with compute across 3 orders of magnitude. Double the compute and you get ~40% more findings on the median scan. 2. Scans saturate. There is a finite number of bugs in a codebase, and we can consistently predict once we’ve hit the ceiling of Apex’s capability to find more bugs in a codebase. 3. The indeterministic properties of AI bug hunters goes away as you scale compute. Apex more reliably converges on the same set of findings as you spend more compute. 4. The data supports that audits that would normally cost more than half a million dollars and take months, can be completed in a few days for a few thousand bucks, end-to-end by AI products. Solving the coverage problem took engineering an efficiently scaling harness. We are able to hit superhuman capabilities in our benchmarks for entirely automated security audits and the economics of it are ridiculous. For 1/100th, or in some case 1/1000th the cost, you get the same/better performance than a set of expert researchers. Moving forward, we are seeing a new trend that is potentially scary. As more security researchers integrate AI more deeply into their workflow, at what point does hiring a researcher just mean you’re hiring their custom built harness? We’ve run scans side by side with recent audits comparing results after, and often see that the researcher findings are a subset of Apex findings. It’s very difficult now to measure the set of out-of-distributions bugs because of AI. Maybe manual hunting can make a comeback if your particular style is difficult to replace by AI. Check out the full blog here: cantina.security/blog/ai-vs-hum…









OpenAI have secretly adjusted our limits. Last week before limit reset. I was using Xhigh all day. 5 day straight i couldn’t get my usage below 55% weekly usage. Since Yesterday, I’ve done 40% of my quota, out of nowhere. So whats going on ? @thsottiaux @sama @OpenAIDevs










