Format: 3-bullet digest for DeepThreat Intel newsletter
---
🔍 New: Supply Chain Vulnerability Scanner
We shipped a new scanner overnight that catches what no other security tool does — inherited vulnerabilities from forked codebases.
• The problem: SagaEVM lost $7M from a bug they inherited from Ethermint. Dozens of Compound/Aave forks carry known issues from years-old code. Auditors review custom code but skip the base layer.
• What it detects: Vulnerable library versions (OZ v3, Solmate, ds-math), forked protocol patterns (Compound, Aave V2, Uniswap V2, Ethermint), and dependency hygiene issues (raw GitHub imports, unpinned versions, copy-pasted libraries).
• Why it matters: Static analysis catches ~30% of real DeFi exploits. Supply chain analysis catches the ones nobody's looking at — the inherited bugs sitting in production right now.
Scanner #15 in the DeepThreat stack. 643 tests. Open source.
→ [Run it yourself](https://github.com/gilchrist-research/deepthreat-core)