Target: Security researchers, DeFi devs, protocol teams Tone: Confidently boring. Practitioner voice. No hype.
---
1/7 SagaEVM lost $7M from a bug they inherited from Ethermint.
They didn't write the vulnerable code. They forked it.
Nobody scanned the fork for known issues. Here's why that keeps happening ๐งต
2/7 The DeFi supply chain problem:
โ Protocol forks Compound V2 (2020-era code) โ Adds custom features on top โ Auditors review the custom code โ Nobody re-audits the forked base
The inherited bugs ship to mainnet. Every time.
3/7 It's not just forks.
OpenZeppelin v3.x has known vulnerabilities. Solmate's SafeTransferLib silently fails on non-standard ERC20s. Old ECDSA libraries have signature malleability issues.
Most protocols still import these. Most scanners don't flag it.
4/7 We built a supply chain scanner for DeepThreat.
Three detection layers: โข Vulnerable library versions (OZ v3, Solmate, ds-math) โข Forked protocol detection (Compound, Aave V2, Uniswap V2, Ethermint) โข Dependency hygiene (raw GitHub imports, unpinned versions, copy-pasted libs)
5/7 Why no other tool does this:
Slither analyzes syntax. Semgrep matches patterns. Aderyn checks Rust rules.
None of them ask: "Is this a Compound V2 fork? Does it still have the known oracle issue from 2021?"
That question requires context, not pattern matching.
6/7 The economics are clear:
$7M (SagaEVM) + $2.7M (Solv Protocol) + dozens of smaller forks losing money to inherited bugs.
Static analysis catches ~30% of real exploits. Supply chain analysis catches the ones nobody's looking for.
7/7 DeepThreat now has 15 integrated scanners. 643 tests passing. 82.6% EVMbench detection rate.
The supply chain scanner is scanner #15. It finds what the other 14 can't.
Open source. Ship it, then sell it.
github.com/gilchrist-research/deepthreat-core