Bloodhound: A Deep Security Reasoning Engine for Smart Contracts

Bloodhound is a model-agnostic autonomous smart contract security auditing tool. Through state space mapping, anomaly detection chain reasoning, and automated verification, it upgrades security auditing from traditional pattern matching to a state reasoning game. It marks a paradigm shift in the smart contract security field from "rule-driven" to "reasoning-driven", aiming to resolve the core contradiction where attackers only need one vulnerability while defenders have to exhaust all possibilities.

The smart contract security auditing field has long faced a core contradiction: attackers only need to find one vulnerability, while defenders have to exhaust all possibilities. Traditional static analysis tools rely on pattern matching from pre-set rule bases, making it difficult to handle complex DeFi protocol logic and new attack vectors. Bloodhound is positioned as a "Mythos-level autonomous security reasoning engine", with its core philosophy redefining auditing as a state reasoning game. Its design stems from three key pain point insights: explosive protocol complexity (multi-contract, cross-call), evolving attack vectors (from simple reentrancy to flash loan manipulation), and scarce auditing resources (limited time of top researchers). Bloodhound is a model-agnostic reasoning engine that can collaborate with AI agents like Cursor and Windsurf, or be used independently as a CLI tool.

Bloodhound adopts a four-stage pipeline architecture:

1. Shadow (Protocol Mapping)：Uses Slither + regex fallback parser to build a complete state space map (state variable read-write relationships, cross-contract call graphs, permission control points, etc.), outputs state_map.json and a visualized protocol diagram, providing a foundation for subsequent reasoning.
2. Detect (Heuristic Anomaly Detection)：Applies domain-specific rules based on the state map, such as tracking amountSentLD differences in cross-chain protocols, enforcing the no-value-loss principle for ERC4626 vaults, verifying signature binding for proxy payments, etc., to capture logical vulnerabilities that traditional tools struggle to find.
3. Chain (Chain Reasoning)：Uses LLM to connect isolated anomalies from the Detect phase into a complete attack path. Inputs an anomaly list and outputs a structured vulnerability hypothesis including attack steps, preconditions, and impacts, simulating the attacker's thinking.
4. Verify (Automated Verification)：Automatically generates Foundry invariant test cases, performs fuzz testing to verify hypotheses, and outputs a vulnerability report with PoC to ensure the vulnerability is reproducible.

Bloodhound supports multiple integration methods:

• AI Agent Integration: A pure Python CLI tool that outputs JSON/Markdown, seamlessly integrating into AI workflows like Cursor, Windsurf (direct command execution), Claude Code/OpenClaw (terminal call feedback), etc.
• CI/CD Pipeline: Acts as a security gate, automatically generating draft Code4rena/Immunefi audit reports, performing quick scans before code merging, and linking security findings with code changes to achieve traceable governance.

Report Generation: Built-in templates for mainstream bug bounty platforms:

• Code4rena format: Separate reports for high/medium severity (with PoC), merged report for low severity/QA issues, separate report for gas optimizations;
• Immunefi format: Impact-driven description ([Attack Vector] in Contract::Function causes [Impact]), narrative of economic collapse path, complete runnable PoC. Model-Agnostic Design: Supports multiple LLM providers, detected automatically via environment variables:

  Provider	Environment Variable	Configuration Key
  Google Gemini	GEMINI_API_KEY	gemini.api_key
  OpenAI	OPENAI_API_KEY	openai.model
  Anthropic	ANTHROPIC_API_KEY	anthropic.model
  Local (Ollama)	LOCAL_MODEL_URL	local.base_url
  This design allows users to flexibly choose backend models based on cost, latency, and privacy requirements.

Bloodhound represents an important direction in the evolution of smart contract security tools:

1. From Static to Dynamic: No longer relying on fixed rule bases, adapting to new attack patterns via reasoning engines;
2. From Isolated to Systematic: Elevating single vulnerability discovery to systematic risk assessment;
3. From Manual to Automated: Encoding expert knowledge into repeatable auditing processes. For DeFi developers: Early detection of potential security issues; For auditors: Improved coverage and depth. In the future, such reasoning-driven tools will become industry standards, driving up the security level of the ecosystem.