We ran Vulnaut across a small set of public audits and scored the results into: exact match, strong adjacent / same risk surface, improved mixed case, and external validation.
The goal is not to claim complete report reproduction, but to show where the tool is already recovering substantive findings, where it produces useful adjacent signal, and where it still misses architecture / protocol-context issues.
| # | Audit | Original report | Vulnaut run | Matched report finding(s) | Classification | Why it matters |
|---|---|---|---|---|---|---|
| 1 | Recall Staking Security Assessment — Sigma Prime | https://github.com/sigp/public-audits/blob/master/reports/recall/Sigma_Prime_Recall_Staking_Security_Assessment_Report_v2_0.pdf | https://test.vulnaut.ai/share/yZQvdBk6u5sLUmk7UTFnIS7mHKmf9b-5CZ7hWcpb6UI | RSC-01, RSC-02, RSC-03 | Exact-match case | Vulnaut recovered the key staking issues: emergency unlock ownership bypass, withdrawal/cooldown bypass, and the zero-amount ghost stake / active NFT issue. The original report’s RSC-01 and RSC-02 were High severity, and Vulnaut matched the same functions and root causes. |
| 2 | Recall Labs Recall Security Assessment — Sigma Prime | https://github.com/sigp/public-audits/blob/master/reports/recall/Sigma_Prime_recall_labs_recall_Security_Assessment_Report_v2_2.pdf | https://sigmaprime.vulnaut.ai/share/Mgekq2-xWSUK7pAzLp1TOgBqN7fb-lJ86Q7RJOVwPaw | RECL-05 | Exact High match | The report had only one Solidity-based finding, and Vulnaut found it as an exact match: whenActive silently returns instead of reverting, causing successful-looking reward claims with no payout. |
| 3 | Espresso Systems — Runtime Verification | https://strapi-rv-bucket-01.s3.us-east-2.amazonaws.com/Espresso_Systems_bba71f9e37.pdf | https://sigmaprime.vulnaut.ai/share/iPRERsymlHPudOfznlfgLfK8MfAQzWw_4F8jBXqkPh8 | A03 | External exact High match | Strong cross-firm validation. Vulnaut matched the only High severity issue in the RV report: missing schnorrKeys update/check in updateConsensusKeysV2(). This shows the tool can recover serious findings outside Sigma Prime reports too. |
| 4 | Brava Module Integrations — Sigma Prime | https://github.com/sigp/public-audits/blob/master/reports/brava/module-integrations/report.pdf | https://test.vulnaut.ai/share/uvRs8W4K87RdmAYxsSpXloYIPwnvuZHBZq8lZZSOdVw | BRV3-06; BRV3-02 adjacent | Improved mixed case | The updated run accepted the ERC20 transfer return-value issue and strongly overlapped with the gas refund manipulation area. It still missed BRV3-01, the core CCTP callback architecture issue, so this is best framed as an improvement case rather than a full report reproduction. |
| 5 | Makina SwapModule — Sigma Prime | https://github.com/sigp/public-audits/blob/master/reports/makina/review.pdf | https://sigmaprime.vulnaut.ai/share/ivLOrPej5dM-IrngurvMNDuIx-RjJDIkIKJPUOZIIrw | MAK-02 adjacent | Strong adjacent / same risk surface | Not an exact match to MAK-02’s Odos calldata redirection exploit, but useful. Sigma Prime’s MAK-02 involved unsafe operator-controlled swap calldata in SwapModule; Vulnaut focused on the same SwapModule operator-controlled execution surface and found related residual/stuck-token and arbitrary execution/balance-delta risks. |
| Audit | Matched report finding(s) | Vulnaut classification | Notes |
|---|---|---|---|
| Recall Staking | RSC-01, RSC-02, RSC-03 | Exact matches | Matched emergency unlock ownership bypass, withdrawal/cooldown bypass, and zero-amount ghost stake / active NFT issue. |
| Recall Labs Recall | RECL-05 | Exact High match | Matched whenActive silent return causing successful-looking reward claims with no payout. |
| Espresso / Runtime Verification | A03 | External exact High match | Matched missing schnorrKeys update/check in updateConsensusKeysV2(). |
| Brava | BRV3-06; BRV3-02 adjacent | Exact + strong adjacent; mixed overall | Accepted ERC20 transfer return-value issue; strongly overlapped with gas refund manipulation. Still missed BRV3-01. |
| Makina | MAK-02 adjacent | Strong adjacent / same risk surface | Focused on the same SwapModule operator-controlled execution surface, but not the exact Odos calldata redirection exploit. |
| Audit | Exact matches | Adjacent / same risk surface | Notable misses |
|---|---|---|---|
| Recall Staking | 3 | 0 | — |
| Recall Labs Recall | 1 | 0 | — |
| Espresso / Runtime Verification | 1 | 0 | — |
| Brava | 1 | 1 | BRV3-01 |
| Makina | 0 | 1 | MAK-01 |
Across this small public-audit sample, Vulnaut is already recovering substantive findings in several cases, including multiple exact matches against Sigma Prime reports and one exact High severity match against a Runtime Verification report.
The strongest signal is in local contract logic, state accounting, access-control / ownership checks, reward-claim behavior, and invariant violations. The weaker area remains architecture-level or protocol-context issues that depend heavily on external system assumptions, such as the CCTP callback architecture issue in Brava.