Web3 is moving fast, and so are the threats.
This month, we’ve shipped some of our biggest improvements yet, focusing on
- continuous protection,
- higher detection accuracy,
- and smarter analysis of real-world smart contract behaviour.
Below is everything that’s new across the Fidesium platform and detection engine.
Platform Improvements
These are the platform improvements that have gone live.
1. Continuous Branch Protection (Pro) – Automated Nightly Scans
Pro customers can now enable continuous branch protection with automated nightly scans.
As:
- new vulnerabilities emerge
- compilers evolve
- libraries update
- and our detection engine gets smarter
…your protected branches are automatically rescanned on a nightly basis.
2. Faster, Clearer Security Workflows
We’ve redesigned the interface for exploring your scan history:
- better filtering
- faster search
- clearer issue grouping
- improved remediation tracking
You can now convert findings into actionable work items with far less friction, helping teams fix issues quickly.
3. Partnership-Ready Coupon Infrastructure
We’ve added a highly flexible coupon and promotion system to support:
- ecosystem partners
- conferences
- incubators
- hackathons
- community campaigns
This makes it easier for teams to get started with Fidesium through exclusive programs and partner discounts.
4. Quality-of-Life Improvements Across the Platform
We refined key user flows, including:
- onboarding
- payment processing
- account management
These updates remove friction and reduce time-to-value – so you can focus on what matters: shipping secure code.
Detection Engine Upgrades (Core Technology)
Where your security really scales.
This month, we delivered major improvements to semantic coverage, multi-function reasoning, ML-powered false positive reduction, and new real-world exploit class detectors.
Full Call Graph Extraction
We’ve extended our analysis engine to extract complete function call graphs in addition to traditional AST parsing.
This allows Fidesium to follow how:
- data flows across functions
- inputs propagate through internal logic
state is mutated in multi-step sequences
By understanding relationships between functions, we now catch sophisticated vulnerabilities that simpler AST-only analysis misses – especially multi-call, multi-component, and inter-procedural issues.
This is a foundational upgrade powering more accurate, context-aware detection across entire codebases.
2. ML-Powered State-Guard Reasoning (XGBoost Prototype)
Static analysis struggles with ambiguous patterns like:
multi-stage initialization
- state-dependent guard checks
- paused-mode behavior
- complex modifiers
Most scanners either flag too much noise or miss critical edge cases.
Our XGBoost-powered prototype solves this by learning semantic intent, not just syntax, using 62 AST-derived structural features.
The results are significant:
- 71% reduction in false positives overall
- 94% reduction on the hardest state-dependent guard patterns
- 100% recall maintained (no loss of detection coverage)
This shows our ability to bridge the gap between static logic and semantic context, and we are now evaluating how to deploy this model in production.
3. New & Enhanced Core Detectors
Your detectors are what protect your protocol. These improvements directly expand real-world exploit coverage.
Arbitrary Calldata Passing (High-Severity)
Unchecked external input passed into internal calls can enable:
- arbitrary code execution
- logic manipulation
- privilege escalation
- critical behaviour changes
Our enhanced detector now:
tracks tainted data across call, delegatecall, staticcall
- follows propagation through internal calls and modifiers
- flags unvalidated calldata flows before they reach dangerous execution points
This closes one of the most dangerous classes of Solidity vulnerabilities.
DoS via Unbounded Loops – Now Multi-Function Aware
Using our new call graph system, we now:
- trace loop bounds across function boundaries
- detect missing or broken bound checks
- respect legitimate guard conditions
- recognize invariant-style upper limits
Results:
- 67% fewer false positives
- 21% fewer false negatives
You get cleaner, more accurate alerts with almost no noise.
Fee-on-Transfer Token Accounting Risks
Fee-on-transfer tokens can break accounting logic and enable:
- silent balance drift
- mismatch between expected vs actual received tokens
- exploitable discrepancies in price and share calculations
Our upgraded detector now:
- tracks variable aliases across functions
- understands state changes inside modifiers
- interprets assembly-level function selectors
follows multi-step accounting sequences end-to-end
This gives you robust protection against one of the most common sources of DeFi exploits.
Advanced Bounds & TOCTOU Validation
We upgraded bounds detection to handle:
- modifier-based checks
- in-memory array bounds
- large invariant constraints
- multi-function state changes
Critically, we now catch TOCTOU (Time-of-Check Time-of-Use) vulnerabilities where a state is validated in one function
but changed before the actual array or index use
This stops an entire class of real-world array-based exploits.
Rounding Error Exploit Detection (Post-Balancer Class)
Following the Balancer exploit class, we built a specialised detector to ensure:
- rounding always favors the protocol
- paired scaling & rounding operations are symmetric
- intermediate rounding can’t be exploited for economic advantage
This catches subtle yet high-impact mathematical vulnerabilities that have caused multi-million dollar losses across DeFi.
Bottom Line
With this release, Fidesium becomes:
✔ Smarter: semantic ML understanding + interprocedural logic
✔ More accurate: drastically fewer false positives
✔ More protective: expanded coverage of real-world attack vectors
✔ More continuous: nightly rescans for protected branches
✔ Easier to use: improved workflows + platform UX
✔ More aligned with modern Web3 risk
Every upgrade strengthens your automated audit baseline and helps you stay secure as your code – and the threat landscape – evolves.
