# Security Analysis & Insights

## Motivation

Smart contract security has evolved significantly, yet many deployed contracts remain vulnerable. While automated tools cannot replace expert auditors, they provde an **additional protection**:

* Many projects deployed **without any analysis**
* Legacy contracts not evaluated with **modern tools**
* Historical vulnerabilities can be prevented by **today's tooling**
* Projects not keeping up with **security tool advancements**

The emergence of AI technology has **transformed this landscape** further. By combining traditional security approaches with AI:

* **Better interpretation** of analysis results
* **Reduced false positives** through context awareness
* **Enhanced pattern recognition** across codebases
* **Automated verification** of complex calculations
* **Improved documentation** analysis

This synergy creates an opportunity: as automated tools enhanced by AI handle common vulnerabilities, auditors can focus on complex attack vectors and novel exploitation methods. Modern security tools are becoming increasingly sophisticated, providing a strong first line of defense against well-known issues.

## Security Pyramid

Security can be easily presented on a pyramid. Each pyramid layer builds upon the previous ones, with the foundation providing the **greatest security impact** for the lowest cost. As we move up the pyramid, the methods become more specialized and resource-intensive, while potentially finding fewer but more complex issues.

| Level    | Practice            | Characteristics                                                                                     | Resource Cost       |
| -------- | ------------------- | --------------------------------------------------------------------------------------------------- | ------------------- |
| 4️⃣ TOP  | **Manual Auditing** | <p>• Complex vulnerability detection<br>• Context-aware assessment<br>• Deep security expertise</p> | Most Intensive 🔴   |
| 3️⃣      | **Dynamic Testing** | <p>• Fuzzing<br>• Integration tests<br>• Property verification</p>                                  | High Investment 🟠  |
| 2️⃣      | **Static Analysis** | <p>• Fast & automated<br>• Cost-effective<br>• Early detection</p>                                  | Good ROI 🟢         |
| 1️⃣ BASE | **Good Practices**  | <p>• Peer reviews<br>• Unit testing (95%+)<br>• Documentation<br>• Version control</p>              | Best Impact/Cost 🔵 |

## Automated Detection

Static analysis tools serve as the **first line of defense** after good practices:

* **Quick identification** of common vulnerabilities
* **Cost-effective** compared to manual review
* **Supports, but does not replace**, human expertise

## Wake Framework Findings

The Wake Framework's core capabilities have already proven **effective**, discovering these vulnerabilities:

| Vulnerability                                  | Severity | Project | Method           |
| ---------------------------------------------- | -------- | ------- | ---------------- |
| **Profit & loss accounted twice**              | Critical | IPOR    | Fuzz test        |
| **Loan refinancing reentrancy**                | Critical | PWN     | Detector         |
| **Incorrect optimization in loan refinancing** | Critical | PWN     | Fuzz test        |
| **Console permanent denial of service**        | High     | Brahma  | Fuzz test        |
| **Swap unwinding formula error**               | High     | IPOR    | Fuzz test        |
| **Swap unwinding fee accounted twice**         | High     | IPOR    | Fuzz test        |
| **Incorrect event data**                       | High     | Solady  | Integration test |

These findings demonstrate Wakehacker's effectiveness in detecting **critical and high-severity issues** across major DeFi protocols through various testing methods. Each vulnerability was discovered during **actual security audits** and has been properly documented and fixed.

\[Source: [Wake Framework GitHub](https://github.com/Ackee-Blockchain/wake?tab=readme-ov-file#discovered-vulnerabilities)]