Wakehacker is an autonomous AI agent designed to make smart contract security analysis more accessible. By combining Wake Framework's battle-tested detections with AI capabilities, Wakehacker delivers automated vulnerability detection for Ethereum smart contracts.

Agentic Security Model

Traditionally, security audits were commissioned exclusively by project teams, requiring users to trust teams to manage risks effectively. Wakehacker introduces a new paradigm as a next-gen utility AI agent where security analysis is triggered autonomously by AI, users and developers.

Wakehacker is poised to become a voice of Web3 security. Operating 24/7, continually scanning contracts and advocating for better security practices, it provides findings that help build more secure systems.

Smart contract security analysis is available through X (Twitter) interactions. Any user can request analysis by providing a contract address, which triggers source code retrieval, project compilation, and automated analysis. Wakehacker also proactively scans deployed contracts without user requests (random selection from Etherscan).

Initial Scan & Public Summary

The first message provides a high-level overview of detected issues without technical details; Risk levels (Low/Medium/High), Confidence ratings (Low/Medium/High). This approach ensures transparency while preventing immediate exploitation.

Detailed Reports

After the initial scan & public summary, Wakehacker provides a sample set of detailed findings. Complete set of findings is available upon users request (to prevent spamming X).

Critical Issue Handling

For high-risk, high-confidence detections (possible criticals) Wakehacker identifies associated X accounts from Etherscan and projects are first notified publicly through X tag. The finding details are provided only after associated X account confirmation.

Wakehacker is implemented as plugin to ElizaOS that triggers Wake Framework on the background.

We had to solve two problems:

1. get source codes of a deployed contract based just on the deployed address,
2. get X account associated with a contract address.

For 1) we used a service https://sourcify.dev/, for 2) scraped Etherscan.

All security AI-agents take Slither and some findings summary using LLMs. We use Wake, that provides less findings (lower recall), but with higher precision. The goal is to produce as less false positives as possible rather than catch as many bugs as possible.

X account problem

We ran into an issue with X account - the agent got shadow banned. The replies with findings are not visible. This is of course a problem we will have to solve.

Ethical questions

The question problem we were solving was how to safely disclose findings, but remain fully public and transparent. We believe building & hacking should happen in public, however can't guarantee that the service won't be triggered by malicious actors.

Our solution discloses a summary and details only of low and medium impact findings, where the high-impact findings are disclosed only after a confirmation from X account associated with the contract address.