TL;DR: Fidesium’s Q1 2026 update delivers
- scanning speeds 140x faster on large repositories,
- cross-contract bug detection across multi-file codebases,
- on-chain deployment scanning for 30+ EVM chains,
- a Solana fuzzing harness that outperforms public alternatives by 5x,
- and a 90%+ improvement in reentrancy detection.
Here’s what changed, what it means for your team, and why it matters now.
Most smart contract security updates read like patch notes. A list of fixes. A version bump. Maybe a screenshot.
We think that undersells the work and more importantly, it misses the question you’re actually asking: does this make my protocol safer?
So instead of a changelog (we have one of those too), here’s what Fidesium shipped in Q1 2026, framed around the problems these improvements actually solve.
Large codebases no longer mean large wait times
If you’ve ever run automated audit tooling against a production-scale repository, you know the pain. Scans that take hours. Engineers blocked. CI pipelines stalled. At a certain point, the tool becomes a bottleneck instead of a safeguard.
We rebuilt our scanning engine from the ground up this quarter. Deep algorithmic and memory optimizations brought scan times on large repositories, like Balancer, from over 12 hours down to under 5 minutes. That’s not a marginal improvement. That’s the difference between a tool your team uses once before a major release and one that runs on every pull request.
The critical detail: we didn’t sacrifice detection quality to get there. Faster scans that miss vulnerabilities aren’t faster scans, they’re false confidence. Every optimization was validated against our full detection benchmark suite before shipping.
Cross-contract bugs are no longer invisible
Here’s a pattern we see constantly in Web3 security consulting engagements: a vulnerability doesn’t live in any single contract. It lives in the interaction between contracts; in how library A passes data to contract B, which delegates to contract C. Traditional file-by-file scanners miss these entirely.
Fidesium now supports multi-file scanning with full cross-contract flattening and deduplication. The scanner resolves import trees, identifies shared dependencies, and traces taint across contract boundaries. Bugs that span multiple files; the ones that actually get exploited in production; are now surfaced in a single, unified scan.
We also separated dependency-sourced findings from user-defined code vulnerabilities, so your team isn’t wading through noise from OpenZeppelin or other well-audited libraries to find the issues that actually matter in your code.
Scan what’s actually deployed, not just what’s in your repo
There’s a gap that most smart contract audit workflows don’t address: the difference between the code in your repository and the bytecode actually deployed on-chain. Deployment scripts, compiler versions, constructor arguments, any of these can introduce discrepancies.
Fidesium now supports on-chain deployment scanning. Register a deployed contract address across any of 30+ supported EVM chains, and we’ll scan the deployed bytecode directly. No repo access required. No assumptions about whether what shipped matches what was reviewed.
For founders and CTOs managing multi-chain deployments, this closes a real blind spot. For security teams doing ongoing monitoring, it’s a tool that didn’t exist in this form before.
A Solana fuzzer built for speed, not just coverage
Solana security tooling has lagged behind EVM tooling for years. Fuzzing, one of the most effective techniques for finding edge-case vulnerabilities, has been particularly underserved. Public Solana fuzzers are slow, memory-hungry, and painful to integrate into real engagement workflows.
We built a high-performance Solana fuzzing harness this quarter, natively bridging Cross-Program Invocations (CPI) via LiteSVM onto native hardware from BPF mode. In benchmarks, it outperforms publicly available alternatives by approximately 5x in both operations per second and memory efficiency.
What this means in practice: deeper fuzzing coverage in less time, faster engagement spin-up, and the ability to explore state spaces that were previously cost-prohibitive to test. If your protocol is building on Solana and you’re relying on manual review alone, this is the kind of dev tooling that changes what’s possible.
Reentrancy detection that actually works
Reentrancy remains one of the most exploited vulnerability classes in smart contract security and one of the hardest to detect automatically. Most scanners catch the textbook single-function case. The real-world variants? Cross-function reentrancy, self-call guards, legacy Solidity syntax patterns? Those get missed.
We overhauled our reentrancy detector this quarter and validated it against the SmartBugs curated benchmark. The result: a 90%+ improvement in detection accuracy. The detector now handles cross-function reentrancy paths, recognizes self-call guard patterns, and correctly parses pre-Solidity 0.6 syntax that trips up most automated tools.
We applied the same rigor across our other detectors. The unbounded array DoS detector now recognizes bounds validation patterns, handles cached length variables and nested array iteration, supports while-loop variants, and runs roughly 50% faster through a single-pass AST traversal. Division-before-multiplication detection now correctly handles intentional flooring patterns with small constant divisors, a common source of false positives that erodes trust in automated findings.
Fewer false positives, more signal
Every false positive your team has to triage is time not spent on real vulnerabilities. It’s also trust lost in the tool. When a scanner cries wolf often enough, engineers start ignoring its output entirely, and that’s when real bugs slip through.
This quarter we ran a systematic false positive and false negative reduction effort across our detector suite. Beyond the specific improvements above, we enhanced cross-contract taint and callgraph analysis for transitive internal calls, improved existence checking, and added recognition for hex literal checks and parenthesized ternary expressions.
The goal isn’t just more findings. It’s better findings, the kind your security team acts on instead of dismissing.
What this adds up to
Each of these improvements addresses a specific gap in how smart contract security is practiced today. Taken together, they reflect Fidesium’s core thesis: that the future of web3 security isn’t choosing between human expertise and automated tooling. It’s building infrastructure where they compound each other.
Manual audits catch what machines miss. Machines catch what humans overlook. The question is whether your security tooling is good enough to hold up its end of that partnership.
That’s what we’re building.
Want to see how Fidesium’s platform fits into your security workflow?
Book a demo and we’ll walk you through it – no pitch deck, just a live look at what the tooling can do on your codebase.
