Whitepaper
Continuous Smart Contract Security for Enterprise Teams
Three-engine analysis. Penetration testing & fuzzing. On-chain monitoring. All chains supported. 95.8% accuracy. Your code never leaves your environment.
Last updated February 2026
Contents
Executive Summary
Kairo is a developer-first, multi-chain smart contract security platform built for enterprise teams. Unlike browser-based security tools that require uploading source code to third-party servers, Kairo runs locally in your environment — scanning your EVM (Solidity) and Solana (Rust/Anchor) codebases from the command line, integrating into your CI/CD pipeline, and reporting findings to a centralized dashboard. Your code never leaves your infrastructure.
Our mission: Make continuous, institutional-grade smart contract security the default — not a one-time audit.
Kairo combines static analysis, dynamic testing, symbolic execution, penetration testing, fuzz testing, and ML-powered semantic triage into a comprehensive security pipeline that catches 95.8% of known vulnerability classes — while generating 60% fewer false positives than single-engine tools. With support for all EVM-compatible chains plus native Solana analysis, Kairo provides unified security coverage across the entire smart contract ecosystem. Real-time on-chain monitoring ensures deployed contracts stay protected. Every scan runs locally with results in under 30 seconds.
The Problem
Smart contract security has been trapped in a broken paradigm: expensive point-in-time audits that create a false sense of security. Developers write code for weeks, submit it for review, wait months, then scramble to fix findings before a deadline. The moment code changes after an audit, the guarantees disappear.
Lost to smart contract exploits in 2023-2024
Of Web3 projects lack continuous security scanning
Why The Current Model Fails
Point-in-Time Audits
A manual audit captures a single snapshot. The moment code changes, the audit is stale. Teams ship unaudited code every day between formal reviews.
Code Upload Requirements
Most security tools require uploading source code to cloud servers. Banks, federal institutions, and compliance-driven teams cannot accept this risk.
No CI/CD Integration
Security exists as a separate process, disconnected from where code actually ships. Vulnerabilities slip through PRs because there is no automated gate.
False Positive Overload
Generic static analysis tools flood developers with noise. Without context-aware scanning that understands Foundry projects, import remappings, and test files, results are unreliable.
The Kairo Platform
Kairo is a three-part platform: a CLI that scans locally, a GitHub Action that gates deployments, and a web dashboard that aggregates findings across your organization. Each layer is designed for enterprise security teams that need continuous coverage without compromising on code confidentiality.
Kairo CLI
Scan any Foundry, Hardhat, or Anchor project from the command line. The scanner runs entirely on your machine — no code is uploaded, no network calls during analysis.
# EVM / Solidity
$ kairo scan ./contracts
Scanning 47 Solidity files...
Running pattern analysis + Slither...
Found 3 high, 5 medium, 8 low findings
# Solana / Rust / Anchor
$ kairo scan ./programs --chain solana
Scanning 12 Rust program files...
Running Solana pattern analysis + Anchor checks...
Found 1 high, 3 medium, 2 low findings
Dashboard: https://kairoaisec.com/scan/abc123
GitHub Action
Automatically scan every pull request with deep AI analysis. Block merges when critical vulnerabilities are found. Post rich PR comments with attack graphs, exploitability matrix, and inline code annotations. Upgrade to full penetration testing by adding a PR label.
# .github/workflows/security.yml
- name: Kairo Security Scan
uses: kairoaisec/kairo-action@v1
with:
api-key: ${{ secrets.KAIRO_API_KEY }}
mode: deep
fail-on: critical,high
# Add 'kairo-pentest' label to PR for full pentest
Penetration Testing & Fuzzing
Go beyond static analysis with automated penetration testing and fuzz testing. Our pentest engine generates attack scenarios, attempts real exploits against your contracts, and reports verified vulnerabilities with proof-of-concept code. Property-based fuzzing discovers edge cases that manual testing misses.
Security Dashboard
Centralized view of all findings across projects, scans, and team members. Track security posture over time. Export reports for compliance.
On-Chain Monitoring
Real-time monitoring of deployed contracts across all supported chains. Get instant alerts when suspicious transactions, abnormal token movements, or potential exploits are detected. Monitor contract interactions, track governance changes, and verify upgrade safety — all from a single dashboard.
How It Works
A typical Kairo workflow integrates security into every stage of development, from local coding to production deployment.
Develop
Write Solidity or Rust in your preferred editor. Kairo detects your project type (Foundry, Hardhat, Anchor) automatically and resolves imports, remappings, and program dependencies.
Scan Locally
Run kairo scan from the terminal. Pattern matching and Slither analysis execute on your machine. Results appear in seconds with severity, location, and remediation guidance.
Push & Gate
The GitHub Action triggers on every PR with deep AI analysis by default. The scan runs asynchronously — no timeouts. Results appear as rich PR comments with attack flow graphs and exploitability data. Add a PR label to upgrade to full penetration testing with fuzzing and exploit verification.
Review on Dashboard
Findings sync to the web dashboard. Security leads review trends, triage findings, and export PDF audit reports for stakeholders.
Deploy with Confidence
Deployment safety checks verify the contract one final time. ALLOW, WARN, or BLOCK decisions are enforced before any code reaches mainnet.
Why Kairo
The smart contract security market has multiple tools, but most share the same fundamental limitations. Kairo was designed to address the gaps that existing solutions leave open.
Code Stays Local
Most security platforms require uploading source code to their cloud for analysis. This is a non-starter for banks, federal institutions, and any team with compliance requirements. Kairo's CLI and GitHub Action run analysis entirely within your infrastructure. Only findings metadata — never source code — is optionally synced to the dashboard.
Continuous, Not One-Time
Point-in-time audits expire the moment code changes. Kairo scans on every commit, every PR, and every deployment. Security is a continuous process, not a checkbox. Your team gets 24/7 coverage without scheduling audits or waiting in backlogs.
Project-Aware Analysis
Generic static analyzers treat every file the same. Kairo understands your project structure — Foundry remappings, Hardhat configs, Anchor workspace layouts, Cargo.toml dependencies, source directories, test exclusions, and library dependencies. This context-aware approach works across EVM and Solana ecosystems, dramatically reducing false positives and surfacing findings that matter.
Multi-Engine Scanning
Instead of relying on a single analysis method, Kairo layers pattern matching, Slither integration, and AI-powered analysis together. Each engine catches different vulnerability classes. Combined, they provide coverage that no single tool achieves alone.
Developer Workflow, Not Security Theater
Kairo integrates where developers already work: the terminal and GitHub. No separate portals to check, no context-switching to a security dashboard for day-to-day work. Findings appear as PR annotations, CLI output, and SARIF reports that feed directly into GitHub Code Scanning.
Deployment Gates
Other tools report findings but leave enforcement to the developer. Kairo provides configurable deployment gates — ALLOW, WARN, or BLOCK — that prevent vulnerable code from reaching production. Set your threshold and let the pipeline enforce it.
Kairo vs. Traditional Approach
Traditional
- Upload code to cloud
- Single-engine analysis (~72% accuracy)
- Weeks to get results
- Generic static analysis only
- No CI/CD integration
- Limited chain support
- No on-chain monitoring
- No penetration testing
Kairo
- 100% local — code never leaves
- Three-engine hybrid (95.8% accuracy)
- Results in under 30 seconds
- Static + dynamic + ML + pentest + fuzzing
- CI/CD pentest with attack graphs & SARIF
- All chains: EVM + Solana + more
- 24/7 on-chain monitoring & alerts
- Automated penetration testing
Technology
Kairo's analysis engine combines static analysis, dynamic testing, and ML-powered triage into a single pipeline. Each scan runs three distinct passes — pattern matching, symbolic execution, and semantic analysis — then uses machine learning to deduplicate, rank, and filter results so developers see real vulnerabilities, not noise.
Three-Pass Hybrid Analysis
Every scan executes three complementary analysis layers. Each catches vulnerability classes the others miss. Results are merged, deduplicated by fingerprint, and ranked by a weighted confidence model.
Pass 1: Static Pattern Analysis
Context-aware pattern matching against vulnerability signatures — not simple regex. The engine analyzes surrounding code within configurable context windows (200-500 characters) to detect protective patterns like reentrancy guards, nonce tracking, and gas limits. If a function already has a nonReentrant modifier, the confidence score for a reentrancy finding drops by 70%. If EIP-712 signatures include chain ID and nonce validation, replay attack confidence drops by 60%.
Pass 2: Dynamic & Symbolic Execution
Integration with Slither and Mythril for deep analysis that goes beyond pattern matching. Slither performs control flow analysis, data dependency tracking, and taint propagation across function boundaries. Symbolic execution explores all reachable paths through your contracts, catching edge cases that static analysis cannot — integer overflows on specific input ranges, state-dependent access control bypasses, and cross-function reentrancy through unexpected callback chains.
Pass 3: ML Semantic Analysis & Triage
Code is chunked at function boundaries using brace-depth tracking to preserve semantic coherence, then embedded into a vector space. These embeddings are compared against a database of known vulnerability patterns using pgvector similarity search. Findings from all three passes are then triaged by a weighted confidence model — severity, source agreement, and contextual signals determine what surfaces to the developer and what gets suppressed as noise.
Specialized Agent Buckets
Rather than running a single monolithic scanner, Kairo routes analysis through specialized agent buckets — each focused on a specific vulnerability domain. This architecture provides deeper context within each domain and prevents cross-contamination of analysis heuristics.
Reentrancy
Cross-function and cross-contract callback analysis with state mutation tracking
Access Control
Permission hierarchies, ownership patterns, and privilege escalation paths
Oracle & Price
Price manipulation vectors, stale data detection, and MEV exposure analysis
Flash Loan
Atomic transaction simulation, liquidity pool interaction, and collateral manipulation
Signature & Replay
EIP-712 compliance, nonce tracking, chain ID validation, and permit function analysis
Gas & DoS
Unbounded loops, return data bombs, gas griefing vectors, and storage bloat patterns
Universal Chain Support
Kairo provides comprehensive coverage across all major blockchain ecosystems. Any EVM-compatible chain works out of the box — Ethereum, L2s (Arbitrum, Optimism, Base, zkSync, Linea, Scroll), sidechains (Polygon, BSC, Avalanche), and emerging networks. Native Solana support covers the second-largest smart contract platform with Rust and Anchor analysis. Our architecture is designed for universal chain support with chain-specific vulnerability detection.
EVM / Solidity Analysis
Full support for Solidity smart contracts across all EVM-compatible chains. Integrates with Foundry, Hardhat, and Truffle project structures. Slither and Mythril provide deep static and symbolic analysis. Pattern matching covers 150+ EVM-specific vulnerability signatures including reentrancy, flash loan attacks, oracle manipulation, and MEV exposure.
Solana / Rust / Anchor Analysis
Purpose-built analysis for Solana programs written in Rust and Anchor. Kairo detects Solana-specific vulnerability classes that EVM tools completely miss: missing signer checks, account validation flaws, PDA seed collisions, integer overflow in token arithmetic, unchecked cross-program invocations, and missing owner/authority verification. The scanner understands Anchor's account constraints, program-derived addresses, and instruction-level access control.
Solana-specific vulnerability patterns detected by Kairo:
Missing Signer Check
Instructions that modify state without verifying the transaction signer has authority
Account Validation
Missing owner checks, type confusion, and uninitialized account exploitation
PDA Seed Collision
Program-derived address seeds that allow account substitution or spoofing attacks
CPI Vulnerabilities
Unchecked cross-program invocations that could be exploited by malicious programs
Arithmetic Overflow
Integer overflow/underflow in token calculations, especially in u64 arithmetic
Privilege Escalation
Missing authority verification in admin-only instructions and upgrade paths
Fingerprint Deduplication & Confidence Scoring
When three engines analyze the same codebase, overlapping findings are inevitable. Kairo generates a SHA-256 fingerprint for each finding based on file, line, pattern, severity, and code context. Duplicates are merged, keeping the highest confidence score. The final confidence is a weighted calculation across severity level, source agreement (findings confirmed by multiple engines score higher), and contextual signals (protective patterns detected in surrounding code).
Detection Accuracy & Proof
Kairo's three-engine architecture achieves 95.8% detection accuracy across known vulnerability classes, benchmarked against a dataset of 200+ audited contracts with confirmed vulnerabilities. The ML triage layer reduces false positives by 60% compared to single-engine static analysis — meaning developers fix real bugs instead of triaging noise.
False Positive Reduction
Most static analyzers report everything that matches a pattern. Kairo's context-aware scoring reduces false positives by analyzing protective code around each finding. The result: developers spend time fixing real issues, not triaging noise.
Reentrancy guard detected
nonReentrant modifier or ReentrancyGuard present near finding
Nonce + chain ID validation
EIP-712 signature patterns with proper replay protection
Gas limit specified
Explicit gas cap in .call{gas: N} prevents griefing classification
Internal/private visibility
Reduced attack surface lowers confidence on internal functions
Protective require/revert
Validation checks within 10 lines of finding location
Developer annotation
Comments like "intentional", "by design", "safe" in surrounding code
Net effect: 60% fewer false positives than single-pass static analysis, with 95.8% detection accuracy on known vulnerability classes. The ML triage layer learns from every scan to continuously improve precision.
Coverage
Validation
Multi-Engine Agreement Scoring
When multiple engines independently flag the same code location, confidence increases. A reentrancy finding confirmed by both pattern matching and Slither's taint analysis scores significantly higher than a single-engine finding — because independent confirmation is a strong signal.
Infrastructure
Foundry, Hardhat & Anchor Awareness
Native parsing of foundry.toml, remappings.txt, Anchor.toml, and Cargo.toml project structures. Longest-prefix-first import resolution handles complex monorepo setups. Anchor workspace detection resolves program dependencies. Test and script files are automatically excluded from production findings.
Import Graph & Dependency Analysis
Builds a full dependency graph from Solidity imports with circular dependency detection via depth-first search. Understands cross-contract interactions for deeper analysis.
SARIF 2.1.0 Output
Findings export as industry-standard SARIF for direct integration with GitHub Code Scanning. Each rule maps to CWE identifiers with external references.
MCP Protocol
Model Context Protocol server exposes all scanning tools to AI assistants. Claude Code, Cursor, and other MCP-compatible tools can scan projects through natural language.
API & Dashboard
The V1 API accepts scan results from CLI and CI/CD, stores them in a PostgreSQL database with pgvector for semantic search, and powers the web dashboard for cross-project visibility.
Supported Chains
Kairo provides comprehensive security analysis across all major blockchain ecosystems. Our architecture is designed for universal chain support — any EVM-compatible chain works out of the box, and our Solana analysis covers the second-largest smart contract platform. Each chain has purpose-built detection patterns, project structure awareness, and toolchain integration.
EVM Chains
Solidity • Vyper
Supported Networks
- • Ethereum (Mainnet, Sepolia, Holesky)
- • Polygon (PoS, zkEVM)
- • Arbitrum (One, Nova, Stylus)
- • Optimism & OP Stack chains
- • Base, Zora, Mode, Blast
- • BSC (BNB Chain)
- • Avalanche (C-Chain, Subnets)
- • zkSync Era, Linea, Scroll
- • Fantom, Cronos, Gnosis
- • Any EVM-compatible chain
Toolchain Integration
- • Foundry (forge, cast)
- • Hardhat
- • Truffle
- • Slither (90+ detectors)
- • Mythril (symbolic execution)
- • OpenZeppelin patterns
$ kairo scan ./contracts
Auto-detected: Foundry project (foundry.toml)
Solana
Rust • Anchor
Supported Frameworks
- • Anchor (v0.29+)
- • Native Rust programs
- • SPL Token programs
- • Solana Playground projects
Detection Patterns
- • Missing signer checks
- • Account data validation
- • PDA seed collisions
- • CPI privilege escalation
- • Integer overflow (u64)
- • Arbitrary CPI targets
$ kairo scan ./programs --chain solana
Auto-detected: Anchor project (Anchor.toml)
Unified Dashboard
Whether you're scanning Solidity contracts on Ethereum or Rust programs on Solana, all findings flow into the same centralized dashboard. Track security posture across chains, compare risk scores, and export unified audit reports — one platform for your entire smart contract portfolio.
Use Cases
Enterprise Protocol Teams
Banks, stablecoin issuers, and institutional DeFi teams that cannot upload code to third-party servers. Kairo scans locally and enforces security gates across every deployment.
- • Full compliance with code confidentiality requirements
- • CI/CD gates block vulnerable code from reaching production
- • Centralized dashboard for security leads and auditors
Development Teams Shipping Continuously
Teams deploying weekly or daily need security that moves at the speed of development, not a 6-month audit backlog.
- • Scan on every PR — no manual security reviews needed
- • Inline PR annotations show exactly what to fix
- • Security score tracking over time across the organization
Security Auditors
Audit firms use Kairo to automate initial passes, focus human expertise on business logic, and deliver reports faster.
- • Automated triage of common vulnerability patterns
- • Multi-engine results (pattern + Slither) in one report
- • PDF audit reports generated from scan results
Solana Protocol Teams
Teams building on Solana face unique security challenges — missing signer checks, PDA collisions, and CPI vulnerabilities. Most security tools only cover EVM. Kairo provides native Solana analysis.
- • Anchor-aware scanning understands account constraints and PDAs
- • Detects Solana-specific vulns: missing signers, CPI exploits, type confusion
- • Same CI/CD gates and dashboard for unified multi-chain visibility
AI-Assisted Development
Developers using Claude Code, Cursor, or other AI assistants can invoke Kairo scanning directly through the MCP server — no context switching.
- • Natural language scanning: "Scan this project for vulnerabilities"
- • AI explains findings and suggests remediation
- • Seamless integration with AI-assisted development workflows
Roadmap
Phase 1: CLI + CI/CD + Multi-Chain + On-Chain Monitoring
Current- • Local CLI scanning with pattern matching and Slither integration
- • GitHub Action with deep/pentest modes, attack graphs, and deployment gates
- • V1 API for scan upload, retrieval, and report generation
- • Security dashboard with findings, trends, and PDF export
- • MCP server for AI assistant integration
- • Solana / Rust / Anchor program scanning with Solana-specific patterns
- • Multi-chain support: All EVM chains + Solana + expanding
- • On-chain monitoring with real-time alerts across all supported chains
- • Anomaly detection for suspicious transactions and potential exploits
- • Contract behavior tracking and upgrade safety verification
Phase 2: Deep Analysis
- • Mythril integration for symbolic execution (EVM)
- • Multi-file cross-contract analysis with full import resolution
- • ML-powered false positive reduction
- • VS Code extension for inline findings
- • Solana formal verification via Certora / Seahorse integration
Phase 3: Enterprise
- • SSO integration (SAML, OIDC)
- • Team workspaces with role-based access
- • Custom rule creation for organization-specific patterns
- • Self-hosted deployment option
- • Audit logging for regulatory compliance
Phase 4: Advanced Security
- • Formal verification integration (Certora, K Framework)
- • Cross-chain bridge security analysis
- • MEV protection and frontrunning detection
- • Governance attack vector analysis
Smart contract security should not depend on a single audit at a single point in time, and it should not be limited to a single chain. It should be continuous, automated, multi-chain, and embedded in the development workflow. Kairo makes this the default — scanning every commit across all chains, performing penetration testing and fuzzing, monitoring deployed contracts in real-time, gating every deployment, and keeping your code where it belongs: in your environment.
95.8% Accuracy. All Chains. On-Chain Monitoring. Pentest & Fuzzing. 100% Local.
Start scanning your smart contracts in seconds.
This document is for informational purposes only and does not constitute financial advice.