# Security Analysis & Insights

## Motivation

Smart contract security has evolved significantly, yet many deployed contracts remain vulnerable. While automated tools cannot replace expert auditors, they provde an **additional protection**:

* Many projects deployed **without any analysis**
* Legacy contracts not evaluated with **modern tools**
* Historical vulnerabilities can be prevented by **today's tooling**
* Projects not keeping up with **security tool advancements**

The emergence of AI technology has **transformed this landscape** further. By combining traditional security approaches with AI:

* **Better interpretation** of analysis results
* **Reduced false positives** through context awareness
* **Enhanced pattern recognition** across codebases
* **Automated verification** of complex calculations
* **Improved documentation** analysis

This synergy creates an opportunity: as automated tools enhanced by AI handle common vulnerabilities, auditors can focus on complex attack vectors and novel exploitation methods. Modern security tools are becoming increasingly sophisticated, providing a strong first line of defense against well-known issues.

## Security Pyramid

Security can be easily presented on a pyramid. Each pyramid layer builds upon the previous ones, with the foundation providing the **greatest security impact** for the lowest cost. As we move up the pyramid, the methods become more specialized and resource-intensive, while potentially finding fewer but more complex issues.

| Level    | Practice            | Characteristics                                                                                     | Resource Cost       |
| -------- | ------------------- | --------------------------------------------------------------------------------------------------- | ------------------- |
| 4️⃣ TOP  | **Manual Auditing** | <p>• Complex vulnerability detection<br>• Context-aware assessment<br>• Deep security expertise</p> | Most Intensive 🔴   |
| 3️⃣      | **Dynamic Testing** | <p>• Fuzzing<br>• Integration tests<br>• Property verification</p>                                  | High Investment 🟠  |
| 2️⃣      | **Static Analysis** | <p>• Fast & automated<br>• Cost-effective<br>• Early detection</p>                                  | Good ROI 🟢         |
| 1️⃣ BASE | **Good Practices**  | <p>• Peer reviews<br>• Unit testing (95%+)<br>• Documentation<br>• Version control</p>              | Best Impact/Cost 🔵 |

## Automated Detection

Static analysis tools serve as the **first line of defense** after good practices:

* **Quick identification** of common vulnerabilities
* **Cost-effective** compared to manual review
* **Supports, but does not replace**, human expertise

## Wake Framework Findings

The Wake Framework's core capabilities have already proven **effective**, discovering these vulnerabilities:

| Vulnerability                                  | Severity | Project | Method           |
| ---------------------------------------------- | -------- | ------- | ---------------- |
| **Profit & loss accounted twice**              | Critical | IPOR    | Fuzz test        |
| **Loan refinancing reentrancy**                | Critical | PWN     | Detector         |
| **Incorrect optimization in loan refinancing** | Critical | PWN     | Fuzz test        |
| **Console permanent denial of service**        | High     | Brahma  | Fuzz test        |
| **Swap unwinding formula error**               | High     | IPOR    | Fuzz test        |
| **Swap unwinding fee accounted twice**         | High     | IPOR    | Fuzz test        |
| **Incorrect event data**                       | High     | Solady  | Integration test |

These findings demonstrate Wakehacker's effectiveness in detecting **critical and high-severity issues** across major DeFi protocols through various testing methods. Each vulnerability was discovered during **actual security audits** and has been properly documented and fixed.

\[Source: [Wake Framework GitHub](https://github.com/Ackee-Blockchain/wake?tab=readme-ov-file#discovered-vulnerabilities)]


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wakehacker.gitbook.io/wakehacker/agentic-security-model/analysis-and-insights.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.