{"id":1296,"date":"2026-02-17T14:36:15","date_gmt":"2026-02-17T12:36:15","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=1296"},"modified":"2026-02-19T17:50:14","modified_gmt":"2026-02-19T15:50:14","slug":"wake-arena-feedback-from-lukso-ipor-monerium","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/wake-arena-feedback-from-lukso-ipor-monerium\/","title":{"rendered":"Wake Arena Feedback from LUKSO, IPOR &#038; Monerium"},"content":{"rendered":"<p><a href=\"https:\/\/ackee.xyz\/wake\/arena\">Wake Arena<\/a> is a multi-agent AI audit service for Solidity codebases. It combines LLM reasoning, graph-driven analysis (data dependencies and control flow), and a battle-tested static analysis detector library built from years of Ackee audits.<\/p>\n<p>In benchmark testing, Wake Arena discovered <strong>43 of 94 high-severity vulnerabilities<\/strong> across historical audit competitions, outperforming <strong>plain GPT-5 (24\/94)<\/strong>, <strong>plain Opus 4.5 (21\/94)<\/strong>, and <strong>Zellic&#8217;s automated scanner V12 (41\/94)<\/strong>.<\/p>\n<p>Benchmarks are useful, but production is the real test. Let&#8217;s take a closer look what happened when teams used Wake Arena on production code and what they changed in response.<\/p>\n<h2>What Wake Arena does<\/h2>\n<p>Wake Arena is designed to help teams arrive at a premium audit with cleaner code. It:<\/p>\n<ul>\n<li><strong>Finds meaningful issues early,<\/strong> focusing on high-signal vulnerabilities, not volume.<\/li>\n<li><strong>Explains findings like an auditor,<\/strong> including impact, exploit path, and where it happens in code.<\/li>\n<li><strong>Links evidence<\/strong> using code snippets, line numbers, and a structured summary for easy triage.<\/li>\n<\/ul>\n<p>Protocols get a security review based on auditor workflows, not a generic &#8220;LLM scan&#8221; \u2013 and one they can iterate on quickly.<\/p>\n<p>Across the three protocols, Wake Arena surfaced <strong>192 issues<\/strong> that were triaged by the teams as <strong>142 true positives<\/strong> and <strong>50 false positives<\/strong> (a ~<strong>3:1 TP\/FP ratio<\/strong>). Most importantly, <strong>79 issues across the 5 reports<\/strong> led to concrete <strong>code changes<\/strong>: <strong>5<\/strong> (LUKSO), <strong>68<\/strong> (IPOR Fusion), and <strong>6<\/strong> (Monerium).<\/p>\n<p>Furthermore, we are thankful for the user feedback and will use it to make Wake Arena even more manageable and transparent at scale.<\/p>\n<h2>LUKSO: &#8220;very good and helpful&#8221; for hardening shipped code faster<\/h2>\n<p><a href=\"https:\/\/lukso.network\/\" target=\"_blank\" rel=\"noopener\">LUKSO<\/a>, an EVM L1 focused on digital identity and consumer applications, served as a design partner during development and used Wake Arena on their Solidity codebase.<\/p>\n<p><strong>Scan outcome<\/strong><\/p>\n<ul>\n<li><strong>10 total findings<\/strong> in a single scan: <strong>2 High<\/strong>, <strong>6 Medium<\/strong>, <strong>1 Low<\/strong>, <strong>1 Warning<\/strong><\/li>\n<li><strong>2 false positives<\/strong> reported<\/li>\n<li><strong>TP\/FP ratio<\/strong> (per client triage): 8 \/ 2<\/li>\n<li>The team reported they&#8217;ll fix <strong>1 High, 1 Medium, and 1 Low<\/strong> shortly after receiving the report<\/li>\n<\/ul>\n<p><strong>Positive feedback<\/strong><\/p>\n<p>&#8220;The PDF looks really super great, I was very impressed by how well written it was overall.&#8221;<\/p>\n<p>&#8220;The &#8216;Finding Summary&#8217; table is top notch. Exactly what I was looking for.&#8221;<\/p>\n<p>&#8220;Very impressed by how the PDF report looks like and how well it was written\u2026 I would definitely recommend this tool to catch early bugs to anyone before going to a formal security audit.&#8221;<\/p>\n<p>\u2013 LUKSO team feedback<\/p>\n<p>In the same feedback, the team also mentioned report sections they relied on most: Severity &amp; Confidence explanation, Audit Overview \/ Overall Security Assessment \/ Recommendations, and line-numbered code snippets.<\/p>\n<p><strong>Observed impact<\/strong><\/p>\n<p>The report quickly enabled:<\/p>\n<ul>\n<li><strong>Triage<\/strong> (what matters, why it matters)<\/li>\n<li><strong>Verification<\/strong> (where it is in code)<\/li>\n<li><strong>Iteration<\/strong> (fix \u2192 re-run \u2192 compare)<\/li>\n<\/ul>\n<p><strong>Product improvements (based on LUKSO&#8217;s feedback)<\/strong><\/p>\n<ul>\n<li>Clarifying that the PDF is an <strong>AI-driven automated analysis<\/strong> (not a manual audit report).<\/li>\n<li>Adding more explicit <strong>remediation guidance per finding<\/strong> (concrete next steps, typical fixes, and verification tips).<\/li>\n<li>Keeping the report &#8220;audit-like&#8221; in usability, without confusing it with a human audit deliverable.<\/li>\n<\/ul>\n<h2>IPOR Fusion: fast iteration and clear security trade-offs<\/h2>\n<p><a href=\"https:\/\/www.ipor.io\/\">IPOR Lab<\/a>, a DeFi team building interest-rate and yield products, used Wake Arena on <strong>IPOR Fusion<\/strong> across multiple runs in December 2025:<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/github.com\/Ackee-Blockchain\/public-wake-arena-reports\/blob\/master\/2025\/wake-arena-ai-report-ipor-labs-fusion-dec-9.pdf\" target=\"_blank\" rel=\"noopener\">Report 1<\/a>:<\/strong> Dec 9, 2025<\/li>\n<li><a href=\"https:\/\/github.com\/Ackee-Blockchain\/public-wake-arena-reports\/blob\/master\/2025\/wake-arena-ai-report-ipor-labs-fusion-dec-11.pdf\"><strong>Report 2<\/strong><\/a>: Dec 11, 2025<\/li>\n<li><a href=\"https:\/\/github.com\/Ackee-Blockchain\/public-wake-arena-reports\/blob\/master\/2025\/wake-arena-ai-report-ipor-labs-fusion-dec-12.pdf\"><strong>Report 3<\/strong><\/a>: Dec 12, 2025<\/li>\n<\/ul>\n<p><strong>Scan outcome<\/strong><\/p>\n<ul>\n<li><strong>3 reports in 4 days<\/strong>, enabling rapid hardening cycles during active development.<\/li>\n<li><strong>TP\/FP ratio<\/strong> (per client triage): 126 \/ 47 (~2.7:1)<\/li>\n<li>The IPOR Labs team systematically triaged findings into:\n<ul>\n<li><strong>68 Valid \u2192 required code changes<\/strong><\/li>\n<li><strong>58 Acknowledged \u2192 accepted trade-off \/ mitigation in architecture<\/strong><\/li>\n<li><strong>47 False positives \/ invalid \u2192 detailed rebuttals based on execution constraints<\/strong><\/li>\n<\/ul>\n<\/li>\n<li>Per the client, some issues were classified as <strong>higher severity in the report<\/strong> than what their team ultimately assigned.<\/li>\n<\/ul>\n<p><strong>Positive feedback<\/strong><\/p>\n<p>IPOR&#8217;s response shows a consistent pattern: findings were evaluated against explicit trust boundaries and execution constraints (who can call what, and under which authority), not in isolation.<\/p>\n<p>&#8220;We spend many hours analyzing it, have to say that the tool is very nice.&#8221;<\/p>\n<p>\u2013 IPOR Labs, report response<\/p>\n<p>This is important because it mirrors how senior auditors work: claims must be bound to a realistic attacker model.<\/p>\n<p><strong>Observed impact<\/strong><\/p>\n<ul>\n<li>In their triage, the IPOR Labs team classified <strong>68 findings as true positives<\/strong> (requiring code or documentation changes) and <strong>47 as false positives\/invalid<\/strong>.<\/li>\n<li>Examples they marked as <strong>Valid<\/strong> (required changes) included fee math \/ ERC-4626 semantic mismatches and slippage-guard configuration issues (as reflected in their per-finding responses).<\/li>\n<li>Examples they marked as <strong>False positive<\/strong> hinged on execution constraints (e.g., components not being publicly reachable, restricted execution paths, and designs that avoid residual balances between transactions).<\/li>\n<\/ul>\n<p>Wake Arena accelerates high-quality engineering conversations around invariants, trust boundaries, and trade-offs \u2013 all before a premium audit.<\/p>\n<h2>Monerium: turning findings into merged fixes with tests<\/h2>\n<p><a href=\"https:\/\/monerium.com\/\" target=\"_blank\" rel=\"noopener\">Monerium<\/a>, a regulated issuer of fiat-backed on-chain money, used Wake Arena on src\/SwapV1V2.sol and published their triage and fixes in a public issue: <a href=\"https:\/\/github.com\/monerium\/smart-contracts\/issues\/56\">&#8220;Ackee Wake &#8211; AI Audit Report for src\/SwapV1V2.sol&#8221;<\/a>. Full report: <a href=\"https:\/\/github.com\/Ackee-Blockchain\/public-wake-arena-reports\/blob\/master\/2026\/wake-arena-ai-report-monerium-smart-contracts-dec-11.pdf\">Wake Arena PDF<\/a>.<\/p>\n<p><strong>Scan outcome<\/strong><\/p>\n<ul>\n<li><strong>6 items fixed<\/strong> (H1\u2013H5, W1)<\/li>\n<li><strong>1 item rejected as &#8220;by design&#8221;<\/strong> (I1), with rationale and a recommended alternative flow for relayers\/aggregators<\/li>\n<li><strong>TP\/FP ratio<\/strong> (per client triage): 6 \/ 1<\/li>\n<li>They documented trade-offs instead of hand-waving them (e.g., small gas increases to remove ambiguous &#8220;no-op&#8221; semantics for integrators)<\/li>\n<\/ul>\n<p><strong>Positive feedback<\/strong><\/p>\n<p>&#8220;We acknowledge this as a valid finding and have implemented a fix.&#8221;<\/p>\n<p>&#8220;For consistency and integration safety, we&#8217;ve modified all swap functions to always execute transfers\u2026 eliminating any potential confusion for integrators.&#8221;<\/p>\n<p>\u2013 Monerium, public issue response<\/p>\n<p><strong>Public verification<\/strong><\/p>\n<ul>\n<li><strong>41 tests passing<\/strong><\/li>\n<li><strong>100% coverage<\/strong> for SwapV1V2.sol (lines\/statements\/branches\/functions)<\/li>\n<\/ul>\n<p>The results are actionable findings that convert into clearer semantics for integrators, better documentation, and shipped code changes, with regression protection.<\/p>\n<h2>What&#8217;s next for Wake Arena?<\/h2>\n<p>We&#8217;re focusing on workflow and visibility improvements when the tool runs across multiple protocols and teams:<\/p>\n<ul>\n<li><strong>Admin panels (internal + ecosystem\/protocol)<\/strong> to give teams better control over:\n<ul>\n<li>Monthly scan usage<\/li>\n<li>Number of remaining scans in their plan<\/li>\n<li>Number of issues found per protocol<\/li>\n<\/ul>\n<\/li>\n<li><strong>Issues table &amp; richer statuses<\/strong> with individual findings, severity, and counts, plus per-protocol status visibility. Statuses expanded from two to five to improve accuracy and workflow: <strong>Reported<\/strong>, <strong>Valid<\/strong>, <strong>Acknowledged<\/strong>, <strong>Fixed<\/strong>, <strong>Invalid<\/strong>.<\/li>\n<li><strong>Email management + AI report views<\/strong> per organization \/ protocol.<\/li>\n<li><strong>Better context inputs<\/strong> for higher accuracy of AI results.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>Wake Arena reduces time-to-fix on the issues that matter before you spend premium auditor hours on avoidable basics.<\/p>\n<p>The tool identified a total of <strong>192 issues<\/strong> across the three protocols. Following triage by each team, these were classified as <strong>142 true positives<\/strong> and <strong>50 false positives<\/strong>, resulting in a favorable ~<strong>3:1 true positive to false positive ratio<\/strong>. More importantly, <strong>79 of these issues, spanning the 5 reports<\/strong>, prompted <strong>code fixes<\/strong>: 5 for LUKSO, 68 for IPOR Fusion, and 6 for Monerium.<\/p>\n<p>We&#8217;re building admin panels and richer issue workflows, improved management tools, and better context inputs to make Wake Arena easier to operate at scale and more useful per scan.<\/p>\n<p>If you want an auditor-style, evidence-backed report that your team can triage quickly, and re-run after fixes to keep tightening the codebase, use <a href=\"https:\/\/ackee.xyz\/wake\/arena\">Wake Arena<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Wake Arena is a multi-agent AI audit service for Solidity codebases. It combines LLM reasoning, graph-driven analysis (data dependencies and control flow), and a battle-tested static analysis detector library built from years of Ackee audits. In benchmark testing, Wake Arena discovered 43 of 94 high-severity vulnerabilities across historical audit competitions, outperforming plain GPT-5 (24\/94), plain Opus 4.5 (21\/94), and Zellic&#8217;s automated scanner&hellip;<\/p>\n","protected":false},"author":30,"featured_media":1297,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,161],"tags":[24,104,162],"class_list":["post-1296","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-wake-arena","tag-ethereum","tag-wake","tag-wake-arena"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2026\/02\/wa-cover-2-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2026\/02\/wa-cover-2-600x600.png","author_info":{"display_name":"Tom\u00e1\u0161 Kova\u0159\u00edk","author_link":"https:\/\/ackee.xyz\/blog\/author\/tomas-kovarik\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=1296"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1296\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/1297"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=1296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=1296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=1296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}