Chainvet
Concepts

Analysis Engines

The four analysis modes — static, symbolic, fuzzing, and the hybrid feedback loop that combines them.

Chainvet has four analysis modes, selected with -m / --mode (default hybrid). Each engine is a pure library; the orchestrator merges and deduplicates their findings onto one severity/confidence scale.

Static analysis (static)

Fast and deterministic — no fuzzing budget. Builds a call graph, runs taint analysis and function summaries, and applies 45+ detectors (IDs like AC-01, RE-04). Best for CI and quick passes.

chainvet scan -m static contracts/

See the Detector reference for every rule.

Symbolic execution (symbolic)

Z3-backed path exploration. It reasons about which inputs drive the contract into a vulnerable state and returns concrete witnesses proving a path is reachable — turning "this looks risky" into "here is an input that triggers it."

chainvet scan -m symbolic contracts/

Tunable with --se-timeout-ms, --se-depth, and --se-assists (see Hybrid tuning).

Coverage-guided fuzzing (fuzzing)

A greybox fuzzer — generator, mutator, executor, oracle, scheduler — that mutates inputs to maximize code coverage and drives contracts into failing states. Set --seed for reproducible runs.

chainvet scan -m fuzzing contracts/

Hybrid (hybrid, the default)

The reason Chainvet exists. Instead of running the three engines in isolation, hybrid mode wires them into a single feedback loop:

  • static analysis steers symbolic execution — detectors point the solver at suspicious code,
  • symbolic witnesses seed the fuzzer — concrete inputs give the fuzzer a head start,
  • coverage stalls trigger further symbolic assists — when the fuzzer plateaus, the solver helps it past the wall.
chainvet scan contracts/        # hybrid is the default

Because it runs all three, hybrid finds the most — use it for a real audit. It's tunable through the Hybrid tuning flags (--epochs, --fuzz-time-ms, --hard-cap-ms, and more); lower them for a faster, shallower scan or raise them for a more thorough one.

One scale across engines

Static confidence is heuristic (a detector's expected precision), symbolic confidence comes from solver evidence, and fuzzing confidence comes from concrete reproduction — but all three land on the same high/medium/low scale so the orchestrator can rank and merge them. See Severity & Confidence.

On this page