AI-powered CI security gate for smart contracts

Block unsafe smart contract releases before they ship.

Paythos runs in your CI on every PR. Our AI flags likely vulnerabilities, generates Foundry tests to confirm or falsify them, and posts a Pass / Warn / Block verdict with reproducible evidence.

Security becomes a rule, not a phase.

7-day proof pilot. If it doesn't run and produce verdicts, you get your money back.

paythos-ci / PR #247 — vault-withdraw-refactor
paythos-botcommented 2 minutes ago
⚠️WARN
Potential reentrancy in withdraw()
Finding: Unsafe external call ordering
// vault.sol:142 — state update after external call
- balances[msg.sender] = 0;
+ uint256 amount = balances[msg.sender];
+ balances[msg.sender] = 0;
+ (bool ok,) = msg.sender.call{value: amount}("");
Generated testpassing
function
  test_reentrancy_withdraw() public {
    attacker.attack();
    assertEq(vault.balance, 10 ether);
  }
3 properties checked
1 warning
2 tests generated

You don't lose because you "ignored security."

You lose because one small change ships a dangerous regression.

Common ways teams get hurt:

A PR silently weakens access control

critical

A new external call introduces a reentrancy window

critical

An upgrade breaks storage layout

high

Accounting math drifts under edge cases

high

Tests pass, but they don't prove the critical properties

medium

Manual review can't reliably catch this at PR speed. Tool output is noisy. Audits come later.

You need a gate that stops bad releases now.

What Paythos does

On every PR/commit, Paythos:

STEP 1

Analyzes the security delta

Scans what changed and what it impacts: privileges, external calls, storage layout, accounting paths, dependencies.

STEP 2

AI generates vulnerability hypotheses

Our proprietary model produces concrete "this could be exploitable" statements tied to code locations.

STEP 3

AI writes verification tests

Automatically generates Foundry tests — reproducers, invariants, or bounded fuzz tests — to confirm or falsify each hypothesis.

STEP 4

Executes and decides

Pass:properties hold, checks green
⚠️Warn:AI flagged risk, needs human review
Block:property fails or exploit reproduces
STEP 5

Attaches evidence to the PR

AI-generated test code, results, logs, and exact reproduction steps you can run locally.

paythos — CI pipeline live
1
Diff Analysis
2
Hypothesis
3
Test Gen
4
Execute
5
Verdict
$paythos analyze --pr 247
[1/5] Scanning diff... 4 files changed, 89 insertions(+), 12 deletions(-)
[2/5] Generating hypotheses... 3 found
[3/5] Writing verification tests...
[4/5] Executing with forge test...
access_control_regressionPASS
reentrancy_withdraw_pathWARN
storage_layout_integrityPASS
⚠ VERDICT: WARN— 1 finding needs human review

What you get on every PR

A clear decision

Pass / Warn / Block, with the top reasons.

PASSWARNBLOCK

Proof you can rerun

Commands, versions, and the generated tests that triggered the verdict.

$ forge test --match-path test/paythos/ -vvv

Diff-aware signal

No generic report dumps. Only the changes that matter.

3 of 12 files relevant

Continuously enforced critical properties

Your non-negotiables are checked every time.

5/5 enforced

The checks we enforce

Examples of what we gate:

Access control regressions

on privileged functions

External-call paths

with unsafe state ordering

Upgrade safety

storage layout + initializer + upgrade auth checks

Oracle validation

and staleness bounds

Accounting invariants

for shares, fees, debt, and withdrawals

Token interactions

dangerous approvals & edge cases

(You choose your critical properties. We start with a proven baseline.)

How it works

Step 1

15-min fit check

We confirm stack and repo readiness (Foundry/Hardhat, upgrade patterns, CI).

Step 2

Install the CI gate

GitHub Actions / GitLab CI status checks + PR bot comments.

Step 3

Tune to low-noise

We set baselines, suppress known false positives, and focus on high-risk deltas.

Step 4

Ship with confidence

Every PR gets a verdict and evidence. Bad merges get blocked.

Who this is for

Ideal for

  • Solidity teams shipping weekly (or faster)

  • Protocols with upgrades, roles/permissions, or complex accounting

  • Teams where one bad release is existential

Not for

  • Teams shipping rarely with no CI discipline

  • Repos with no tests and no willingness to add them

7-day proof pilot

We're not asking you to believe. We'll prove it on your code.

$2,000

one-time · money-back guarantee

In 7 days, you get:

🔧
Paythos running in your CI
Fully integrated with your workflow
📋
At least 3 PR verdicts
with evidence-based outcomes
🛡️
At least 5 critical properties
enforced continuously
🧪
At least 10 generated tests
across real changes

Guarantee: If we can't get it running and producing verdicts with evidence in 7 days, you get your money back.

FAQ

No. Audits catch design flaws; Paythos prevents regressions during development. Use both.
Paythos uses proprietary AI models trained on smart contract vulnerabilities. The AI analyzes your code changes, generates hypotheses about potential issues, and writes Foundry tests to verify them. Every AI finding is backed by a reproducible test—no guessing.
AI-generated hypotheses are verified by tests. If the test passes, the hypothesis is falsified and dropped. You only see findings backed by failing tests or inconclusive results that need human review.
Foundry-first. Hardhat support coming next.
We run with configurable time budgets. Most teams keep it under 5 minutes per PR.
Yes. We can sign an NDA and use a self-hosted runner if required.
Repo access, a CI slot (GitHub Actions or GitLab CI), and 5-10 minutes to define your critical properties.
PASSWARNBLOCK

Stop shipping bugs. Start shipping confidence.

7-day proof pilot. If we can't get Paythos running and producing verdicts with evidence, you get your money back.

No credit card required
15-min setup
Cancel anytime