#Added– SARIF File Generation, Pro users can now generate and download SARIF files, enabling seamless integration with other SAST providers and security tools.
#Added– Implemented XGBoost feature caching for Missing Access Control detection, reducing detector runtime by ~80%
#Added– Added loading indicators throughout the platform to ensure data availability before user actions
#Added– Deployed robust frontend Sentry integration for improved bug identification and tracking
#Changed– Rolled out enhanced CI/CD guarantees on our core detectors with rigorous typechecking and code quality standards (mypy + ruff) to maintain long-term velocity and stability
#Changed– Reduced frontend bundle size dramatically with improved chunking, resulting in faster load times and enhanced performance
#Changed– Optimized Docker layer caching and test parallelization, reducing average deployment times for detectors from 15 minutes to 8 minutes, enabling faster value delivery and shorter incident response times
#Changed– Improved memory management, reducing detector memory usage by ~40%
#Changed– Migrated detectors from requirements.txt to pyproject.toml, enabling cleaner separation of dev dependencies and reducing deployed bundle size and attack surface
#Removed– Fully removed personal teams and completed comprehensive code cleanup, completely eliminating several race-condition-related signup bugs
#Security– DoS Unbounded Loop Detection Large unbounded loops can lead to total protocol failure through denial~of~service attacks. We’ve reduced false positives by properly handling hardcoded loop sizes below reasonable bounds, especially for loops making external contract calls.
#Security– Zero Address Transfer Protection Most contracts should revert on transfers to the zero address to protect protocol and user funds. Our detectors now correctly avoid false positives on accounts that can never be the zero address (e.g., msg.sender) with full variable resolution.
#Security– Missing Reentrancy Protection Reentrancy, the classic smart contract vulnerability where external contract calls trigger callbacks into payable functions, is now detected with significantly hardened capabilities. We’ve improved both false positive reduction (by fully exploring the call graph and respecting callsite
Versions
#added– **Multi-file scan support**: Cross-contract flattening and deduplication, enabling detection of cross-contract and cross-library bugs
#added– **Dependency separation**: User-defined vulnerabilities are now cleanly separated from dependency-sourced findings to simplify triage and prioritization
#added– **Solo dev and hackathon support**: System now correctly handles mainline, non-org GitHub repositories
#added– **On-Chain Deployment Scanning**: Users can now register deployed contract addresses across 30+ EVM chains and trigger scans directly against deployed bytecode
#added– **Robust Solana fuzzing harness**: Outperforms publicly available fuzzers by ~5× in operations per second and memory efficiency
#changed– **Dramatic performance improvements**: Deep algorithmic and memory optimization — runtime on large repositories (e.g. Balancer) is now sub-5 minutes (down from 12+ hours) without sacrificing detection quality
#changed– **Systematic false positive and false negative reduction** across multiple detectors:
#changed– Now recognizes pre-Solidity 0.6 syntax, hex literal checks, and parenthesized ternary expressions
#changed– Division-before-multiplication now correctly handles small constant divisors, avoiding false positives on intentional flooring patterns
#changed– 90%+ improvement in reentrancy detection against the SmartBugs curated benchmark
#changed– **Cross-contract taint and callgraph analysis** for transitive internal calls
#changed– **Restructured issue summary generation** for better consistency, reduced drift, and improved per-instance summarization
#removed– *(No features were removed in this release)*
#security– **Cross-contract taint and callgraph analysis** for transitive internal calls (significantly improves detection of complex security issues spanning multiple contracts)
#security– Enhanced **Unbounded array DoS detector** – now better identifies gas-based denial-of-service vectors that could brick time-sensitive operations
#security– Improved **reentrancy detection** by 90%+ on the SmartBugs benchmark through better cross-function and legacy syntax support
#security– **Dependency separation** – clear distinction between user-defined and dependency vulnerabilities for more accurate risk prioritization