AuditAid FAQ — Solidity, ZK, pricing, and accuracy

AuditAid is an AI-powered smart contract security auditor. It audits both Solidity/EVM contracts and zero-knowledge (ZK) circuits end-to-end, delivering structured, reproducible findings with proof-of-concept exploits at a fraction of the cost of a manual audit.

Next →

No. AuditAid reduces cost and time by finding the majority of Critical and High vulnerabilities, triaging static-analysis noise, and shipping proof-of-concept exploits — so human auditors spend their hours on the issues that genuinely need judgment. It is a force multiplier for an audit, not a replacement for one.

← PrevNext →

Two things most tools treat as separate: Solidity/EVM smart contracts, and zero-knowledge circuits, provers, and verifiers. It runs both in one pipeline, so the contract and the proof underneath it are reviewed together.

← PrevNext →

Three deliverables: a machine-structured technical report (Markdown), a human-readable client-grade PDF, and Foundry proof-of-concept tests for confirmed findings. The PoCs mean each serious finding comes with a runnable demonstration, not just a claim.

← PrevNext →

Developers cutting audit costs before booking a firm and running checks on every pull request; audit firms surfacing Critical/High findings in a fraction of the time; competition auditors on Code4rena, Sherlock, Cantina, and Immunefi who need a runnable PoC per finding; and investors doing reproducible technical due diligence before committing capital.

← PrevNext →

Static analyzers emit raw detector hits and leave triage to you. AuditAid treats scanner output as an input, not a result: candidates are confirmed or discarded before they reach the report, and a finding ships only when something external to the model — execution, analysis, reproduction — substantiates it. The result is far less noise and a proof-of-concept attached to the real findings.

← PrevNext →

There is no single 'best' on every axis, but on EVMbench — the OpenAI × Paradigm benchmark and the closest thing to an independent standard — AuditAid reports the highest published detection recall to date: 88% (103 of 117 real-world vulnerabilities), ahead of the next-best published result (Azimuth/TestMachine, 78.6%) and far above raw models like GPT-5 or Claude used without an audit harness (38–54%). AuditAid's figure is self-reported, graded with EVMbench's own GPT-5 judge.

See the full methodology →← PrevNext →

In its run of the public EVMbench benchmark, AuditAid reached 88% detection recall (103 of 117) with zero false High/Critical findings and roughly one low-severity noise flag per 400 lines of code. EVMbench scores recall only, so the false-positive figure is AuditAid's own measurement.

How we measured it →← PrevNext →

On EVMbench, by a wide margin. Raw frontier models with no audit scaffolding score 38–54% detection recall; AuditAid's harnessed pipeline reports 88% — a gap of more than 30 points. The benchmark's own finding is that the audit harness, not the base model, drives most of the recall.

Why the harness matters →← PrevNext →

No — it is self-reported. AuditAid ran the public EVMbench dataset itself and graded it with the benchmark's own GPT-5 judge and detect prompt; it is not an officially verified leaderboard submission. The dataset and grading rules are EVMbench's, not AuditAid's, but that is not the same as third-party verification, and AuditAid would welcome a verified run.

Full run provenance →← PrevNext →

EVMbench is the benchmark for AI smart-contract auditors created by OpenAI and Paradigm: 117 real-world vulnerabilities drawn from 40 professional audits, scored in three modes — detect, patch, and exploit. Detect mode grades recall (did you find the known bugs) using GPT-5 as the judge.

← PrevNext →

No, and any tool that claims otherwise is overselling. Benchmarks measure detection of known, curated vulnerability classes; the bug that drains a protocol is usually novel — a logic error, an economic or oracle assumption, a cross-contract invariant that only breaks in composition. AuditAid is one strong layer of a taller stack that still needs human judgment and runtime monitoring.

← PrevNext →

Pricing is a transparent public formula based on effective in-scope lines of code — roughly $0.28–$0.30 per line, with a $50 minimum. You see the full quote before you pay, and what you are quoted is what you pay.

Get a quote →← PrevNext →

By effective in-scope lines of code, on a single public formula — no hidden tiers and no surcharge for which model runs. You select exactly which files are in scope, and the price is computed from those.

← PrevNext →

Effective lines only. Blank lines and comments — including NatSpec — are excluded, so you are not charged for whitespace or documentation inside your contracts.

← PrevNext →

No. Documentation files are treated as free context to improve the audit and are never priced. Only in-scope Solidity counts toward the quote.

← PrevNext →

Yes. You connect or upload your code, select scope, and get a quote up front. There is no metered token billing and no surprise charge — the quote is the price.

← PrevNext →

Yes, a $50 minimum per audit.

← PrevNext →

Enterprise accounts use monthly usage invoicing for web audits and CI/CD, instead of per-audit card checkout for every run.

Enterprise details →← PrevNext →

Connect a Git repository, upload a ZIP, or upload individual scope (.sol) and documentation files. AuditAid reviews every Solidity file so you can select exactly what is in scope, then shows a quote before any audit runs.

Start an audit →← PrevNext →

Yes. After scanning, you select precisely which files are in scope; documentation can be included as free context. Pricing and the audit both follow your scope selection.

← PrevNext →

Yes. Server-side agents run the full methodology while you track progress live, then you download the technical report, the client PDF, and the proof-of-concept tests.

← PrevNext →

Yes — for confirmed findings, AuditAid ships runnable Foundry proof-of-concept tests. That is why it suits competition auditors: you can submit a working exploit, not just a description.

← PrevNext →

Three ways: connect a Git repo, upload a ZIP of the project, or upload individual .sol files plus any documentation. ZK projects are uploaded the same way.

← PrevNext →

AuditAid runs server-side and you watch progress in real time, so it returns a full report in a tiny fraction of the calendar time a multi-week manual engagement takes — without sacrificing the structured methodology.

← PrevNext →

Yes. AuditAid is the first AI system to audit ZK circuits, provers, and verifiers end-to-end — modeling the malicious prover, the threat that Solidity-only tools structurally cannot see — not just the Solidity around them.

ZK audit deep-dive →← PrevNext →

Circom, Noir, Halo2 (Rust), and Cairo.

ZK coverage →← PrevNext →

Groth16, PLONK, UltraHonk, FFLONK, Halo2, Plonky2, STARK/FRI, SP1, and RISC0.

← PrevNext →

Under-constrained signals (confirmed by non-uniqueness, not guesswork), the off-chain gap (checks enforced in the witness generator but not in the circuit), and proof replay/forgery — pairing-equation completeness, public-input binding, chain/contract/recipient binding, and SP1/RISC0 program-ID substitution.

← PrevNext →

A signal that no constraint pins down, so a malicious prover can set it to anything and still produce a valid proof. It is the most common cause of soundness failures in production ZK systems, and it is invisible to tests because tests run the honest witness generator.

Read more on ZK soundness →← PrevNext →

Veridise Picus and Trail of Bits Circomspect are narrow formal/static tools, and other AI auditors stop at the Solidity layer. AuditAid audits the whole stack in one pass — circuit, prover, verifier, and rollup contracts, cross-checked — which no other AI/LLM auditor currently does for ZK circuit soundness.

← PrevNext →

Yes. The point of auditing the whole stack in one pass is that the circuit, prover, verifier, and the rollup contracts are reviewed and cross-checked together, rather than leaving the on-chain verifier to a separate Solidity-only review.

← PrevNext →

Yes. Reports are confidential and AuditAid is privacy-focused with zero data retention: once a report is delivered and downloaded, AuditAid does not keep your contracts or findings.

Security & confidentiality →← PrevNext →

No. AuditAid operates with zero data retention — after delivery and download, your contracts and findings are not kept.

How we protect your code →← PrevNext →

Never. Your code is not used to train models.

← PrevNext →

Yes. AuditAid's privacy practices are GDPR and CCPA compliant, built on data minimization and zero retention of audited code after delivery.

Privacy policy →← PrevNext →

Only you, by default. Reports are private; the public Showcase is strictly opt-in — a report appears there only if its owner chooses to publish it, and proof-of-concept exploits are never published.

See the Showcase →← PrevNext →

Yes. A GitHub App integrates AuditAid into your pipeline with org-level isolation, so security review runs as part of how you ship.

CI/CD for teams →← PrevNext →

Yes. The GitHub App comments inline on newly introduced vulnerabilities on every pull request, so issues are caught at review time rather than after merge.

← PrevNext →

On pull requests it focuses on newly introduced vulnerabilities, commenting inline on the changes so reviewers see new risk in context without re-litigating the whole codebase every time.

← PrevNext →

Yes. The GitHub App is scoped with org-level isolation so your repositories and audit data stay separated.

← PrevNext →

It is faster and far cheaper, and it finds the majority of Critical and High vulnerabilities with runnable PoCs — but it is a complement, not a replacement. The strongest workflow is to reach a manual engagement with Criticals and Highs already found and fixed, so senior auditors focus on judgment calls.

← PrevNext →

On EVMbench, AuditAid's self-reported 88% detection recall is higher than the top published leaderboard result (Azimuth/TestMachine, 78.6%) and other harnessed pipelines such as Nethermind's AuditAgent (67%). It also audits zero-knowledge circuit soundness end-to-end, which those tools do not.

Benchmark comparison →← PrevNext →

Yes. For Code4rena, Sherlock, Cantina, and Immunefi, AuditAid ships a runnable proof-of-concept for every confirmed finding, so you submit a working exploit rather than a claim.

← PrevNext →

Yes — it produces a reproducible, structured security report with proof-of-concept tests, which is exactly what independent technical due diligence needs before committing capital to a protocol.

← PrevNext →

AuditAid audits Solidity/EVM source, so it applies to contracts targeting any EVM-compatible chain, plus zero-knowledge circuits independent of a specific chain. It reviews the source, not a particular network deployment.

← Prev