Skip to content

feat(sn60): add hybrid depth-then-breadth miner (jaytbarimbao-collab-20260712-01)#128

Open
jaytbarimbao-collab wants to merge 1 commit into
Autovara:mainfrom
jaytbarimbao-collab:sn60-jaytbarimbao-collab-20260712-01
Open

feat(sn60): add hybrid depth-then-breadth miner (jaytbarimbao-collab-20260712-01)#128
jaytbarimbao-collab wants to merge 1 commit into
Autovara:mainfrom
jaytbarimbao-collab:sn60-jaytbarimbao-collab-20260712-01

Conversation

@jaytbarimbao-collab

Copy link
Copy Markdown

Adds one miner bundle under submissions/sn60__bitsec/miner/jaytbarimbao-collab-20260712-01/. No files outside the submission directory are touched.

Approach — hybrid depth-then-breadth

The agent ranks every Solidity/Vyper source file by risk (suspicious names, external-call / access-control / accounting patterns, function density), then spends its three inference calls deliberately, within the validator's per-problem budget (3 calls / 24k output tokens):

  • Calls 1–2 — full depth. The two highest-risk contracts are each audited in their own call, with the whole file as context (untruncated up to a generous cap) plus one directly-imported dependency, so the model can follow the protocol logic end-to-end.
  • Call 3 — breadth. A single batched pass over the next tier of suspicious contracts, so a bug outside the top two is still reachable.

Every finding is emitted in matcher-friendly form — exact file path, contract, function, severity (high/critical), and a description that names the file, contract and function, then the exploit mechanism and concrete impact — then deduped and capped.

Safety / contract

  • Self-contained, standard-library only; performs genuine per-run analysis (no hardcoded findings or benchmark fingerprints) and reaches the model only through the validator inference proxy (x-inference-api-key).
  • Synchronous agent_main(project_dir=None, inference_api=None), callable with no arguments, always returns {"vulnerabilities": [...]}.
  • Never raises: a timeout, budget 429, or malformed model reply degrades to the findings gathered so far.
  • No API keys, validator secrets, benchmark-answer references, or model/sampling overrides.

Local checks

  • kata submission validateStatus: valid, Screening status: pass
  • ruff check on the bundle → clean
  • Offline smoke run against a sample project: ranking and the 2-depth + 1-breadth call plan exercised, no crash.

@carlos4s carlos4s added the kata:pending Kata screened this PR: waiting for the next competition round. label Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kata:pending Kata screened this PR: waiting for the next competition round.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants