FEATURED POST

September 22, 2025

Introducing Sherlock AI

Sherlock AI is an auditing assistant that helps teams catch vulnerabilities early, streamline audits, and ship smart contracts with confidence.

Introducing Sherlock AI

We are proud to introduce Sherlock AI, the latest step in our mission to make onchain systems safer for everyone. For years, Sherlock has combined audits, contests, bounties, and coverage to protect projects at critical moments in their lifecycle. But we also saw a recurring challenge: too many vulnerabilities only surfaced once an audit began, forcing teams into last-minute fixes and creating unnecessary stress on timelines and budgets.


Sherlock AI is built to change that. By embedding auditor-level analysis directly into development workflows, it gives teams fast, actionable feedback as they write code. That means audits can focus on refinement, and launches can move forward on budget and on schedule — with greater confidence in the security of what’s being shipped.

A Smarter Approach to Smart Contract Security

Sherlock AI is an auditing assistant that plugs directly into a team’s development workflow. It analyzes commits and pull requests in real time, surfacing potential vulnerabilities with the same methodology our top researchers use during audits and contests.

Instead of have your code only reviewed during  point-in-time audits, developers can fix tighten their codebase and arrive at audits with fewer issues to resolve. The result is faster iteration, cleaner contracts, and more predictable outcomes when launch dates are on the line.

Sherlock AI Main Dashboard View
Sherlock AI gives teams a clear view of vulnerabilities across their codebase - with severity, trends, and progress all in one place.

Sherlock AI gives teams a clear view of vulnerabilities across their codebase - with severity, trends, and progress all in one place. The platform is built for ease of use and practicality: developers can see issues flagged in real time, track them across commits, and measure progress as fixes are made. Instead of waiting until a formal audit to understand the health of their contracts, teams get a living picture of where risk lies and how it’s being reduced over time.


That level of insight is possible because of how Sherlock AI was designed. The system draws on the battle-tested techniques of 0x52, one of the most decorated smart contract security researchers in the world, combined with Sherlock’s broader network of elite auditors and machine learning specialists. Trained on thousands of real vulnerabilities and findings, Sherlock AI brings that expertise into an interface developers can use every day - turning advanced auditor reasoning into something practical and actionable.

How Sherlock AI Works

Sherlock AI connects directly to a team’s code repository through a GitHub app, monitoring commits and pull requests in real time. When changes are submitted, the system ingests the updated codebase, normalizes it, and applies a combination of static analysis techniques, auditor-informed heuristics, and machine learning models trained on real vulnerabilities. This allows it to evaluate logic flows, storage patterns, and contract interactions - the places where critical exploits most often emerge.

The output is structured so teams can move quickly from detection to resolution:

  • Ingest & Analyze: Pulls code from GitHub, maps contracts and dependencies, and applies ML-driven static analysis to surface both critical and lower-severity vulnerabilities.

  • Report & Recommend: Produces detailed findings with severity levels, references, and suggested remediations, alongside optional unit tests to validate fixes.

  • Iterate & Improve: Findings can be linked back into the repo, rerun after patches, and tracked across commits, while the AI model itself improves over time based on new data and user feedback.

Sherlock AI Audit Report Analysis Dashboard
Sherlock AI surfaces vulnerabilities directly in your repo, complete with severity levels, attack paths, and remediation context

Through this process, developers gain actionable insight at the same speed they write code. Instead of showing up to audits with blind spots, teams arrive with a documented history of fixes, allowing auditors to focus on nuanced edge cases and leaving projects more secure as they head to mainnet.

What Sherlock AI Finds

Sherlock AI is built to zero in on the types of flaws that consistently lead to costly exploits. Instead of flagging cosmetic issues or lint errors, it prioritizes vulnerabilities that attackers can actually weaponize. Examples include:

  • Reentrancy and access control flaws that allow attackers to bypass safeguards and drain funds.

  • Logic errors in state updates that can destabilize lending markets, pools, or governance systems.


  • Miscalculated fee, math, or overflow conditions that open the door to manipulation.


  • Unsafe external calls or dependency interactions that introduce hidden attack surfaces.



These are the same categories human auditors focus on in Sherlock contests and private reviews. The difference is that Sherlock AI delivers findings as soon as new code is pushed, giving teams a chance to patch early and verify fixes through reruns or generated unit tests.

By filtering for issues with real exploit potential, Sherlock AI helps developers spend less time sifting through noise and more time solving the problems that matter. It also means that when auditors step in, they can focus on the edge cases that require deep context, rather than uncovering critical bugs that could have been addressed weeks earlier.

Predictable Audits, Predictable Launches

For project teams, Sherlock AI translates directly into fewer surprises and smoother launches. By catching vulnerabilities as code is written, teams avoid the expensive cycle of late-stage fixes and re-audits that can derail budgets and timelines. Instead of paying auditors to flag fundamental errors, development teams can walk into reviews with a cleaner codebase, keeping audit scopes tighter and invoices lighter. It also means fewer tradeoffs under deadline pressure -Teams don’t need to choose between slipping a launch date or pushing insecure code since Sherlock AI provides early feedback so fixes happen when they’re easiest to make. 

The result is greater confidence in delivery: predictable audit costs, launch schedules that hold, and fewer sleepless nights spent firefighting last-minute security issues. For many teams, this can mean saving hundreds of thousands of dollars across a development cycle by avoiding extended audit engagements and costly delays.

Early Adoption and Beta

Sherlock AI is currently in open beta, but it is already being used by several of the biggest projects in Web3, including protocols ranked among the top 50 by total value locked (TVL). These teams are integrating it directly into their development workflows to reduce audit scope, improve launch readiness, and keep long-lived codebases clean.

Sherlock AI Testimony from Centrifuge Protocol

The feedback so far has been overwhelmingly positive, and our goal now is simple: to get Sherlock AI into as many teams’ hands as possible. From here, we’re focused on expanding beyond GitHub, adding broader language support, and refining the model with real-world usage so that findings stay sharp and actionable as teams scale. Ultimately, we want Sherlock AI to become a trusted companion in every smart contract developer’s workflow - helping teams ship faster, safer, and with greater confidence.

Sherlock AI in the Launch Lifecycle

Sherlock was built around a simple belief: smart contract security can’t be reduced to a single checkpoint. That’s why our suite combines audits, contests, bug bounties, and financial coverage - providing protocols protection before launch, at launch, and after they’re live. Together, these services form a launch lifecycle model that supports teams through the most critical phases of shipping new code.

Sherlock AI is the connective thread that makes this model stronger. By providing auditor-level feedback inside the development workflow, it ensures protocols arrive at audits in better shape, contests focus on edge cases instead of obvious bugs, and coverage reflects the true quality of the codebase. Because it learns alongside the project, Sherlock AI can be picked back up for future upgrades, carrying context forward into each new release cycle.

Sherlock AI delivers its greatest utility in the run-up to a formal audit. By surfacing vulnerabilities earlier and at a fraction of the cost and time, it allows audits to stay on budget, on schedule, and focused on polish rather than fundamental rework. The impact flows directly into Sherlock’s financial coverage model: coverage levels are determined by the quality of the code entering an audit, and teams that prepare with Sherlock AI are far more likely to qualify for higher tiers of protection. In short, Sherlock AI gives teams the clarity they need to ship code with confidence — on budget, on time, and secure enough to launch at the highest standard.

The Future of Smart Contract Security

We built Sherlock AI because traditional audits alone weren’t solving every challenge. Teams needed a way to catch issues earlier, keep audit costs predictable, and launch on schedule without last-minute patches. Our vision was simple: bring the same caliber of insight as the best auditors in the world directly into the development workflow. The result is a tool that’s already reshaping how teams approach security, helping them ship code with confidence instead of uncertainty.

This is just the beginning. Sherlock AI is already proving its impact with some of the largest protocols in Web3, and we believe it can become a standard part of how every team builds and launches securely. We’re inviting teams to be part of that future today - join the open beta today and put Sherlock AI to work in your development process.

MORE BLOG POSTS

Want to read more?

August 5, 2025

5 Steps to Becoming a Top-Level Smart Contract Auditor

A proven, five-step blueprint from Sherlock’s top auditors on how to start earning money as a smart contract auditor in under a month. Learn how to master codebases, build your checklist, think like an attacker, and accelerate your growth through fast feedback.

July 17, 2025

GMX Exchange Hack Explained

GMX Exchange Hack Explained: $42M Drained via Re-Entrancy Exploit. Written in collaboration with Blackthorn Lead Security Partner, Panprog.

June 2, 2025

Why Careful Validation Matters: A Vulnerability Originating in Inline Assembly

At Sherlock, one of the top Lead Senior Watsons, recently uncovered and helped to resolve a vulnerability related to the lack of overflow protection in Solidity's inline assembly. Read on for the details behind the vulnerability that was detected, allowing the arbitrary call of functions from a vulnerable smart contract.