A practical guide to using AI agents effectively for Solidity smart contract auditing. Covers why generic prompts fail in security contexts, and provides concrete prompt patterns for vulnerability detection, attack scenario generation, audit checklists, finding verification, and report generation. Advocates a structured three-agent pipeline (Planner, Analyzer, Reviewer) that integrates static analysis tools like Slither, Mythril, and Foundry alongside LLM reasoning. Key principles include giving the model an adversarial role, always injecting protocol context and invariants, enforcing structured JSON output, separating attack modeling from remediation, and requiring human review for Critical/High findings. Also warns against prompt injection via code comments and over-trusting 'no findings' results.
Table of contents
Why AI in Auditing Is a Different BeastThe Core Principles (That Most People Skip)Give the Model a Role That Isn’t “Helper”Context Is Not Optional — It’s MandatoryForce Structured OutputMake the Model Show Its WorkThe Prompt Patterns That Actually MatterVulnerability DetectionAttack Scenario GenerationAudit Checklist PassReport GenerationThe Verification Prompt (Don’t Skip This One)Building an Agent That Actually AuditsGet BATIS AB’s stories in your inboxIntegrating Tools the Right WayMistakes I See ConstantlyWhat a Real Workflow Looks LikeThe Checklist (Quick Reference)Where This Is All GoingSort: