Recent years have seen a surge of AI-driven tools for blockchain security. On Solana, developers are exploring autonomous agents, LLMs, and ML models to audit contracts and monitor the network. Solana's architecture — stateless runtime, Rust/Anchor contracts, explicit accounts — poses unique challenges, so many tools are Solana-specific. This research discusses both on-chain and off-chain applications, focusing on correctness guarantees, human-alignment, and false-positive reduction.
AI Agents and Autonomous Security Systems
AI agents can continuously learn normal behavior and flag anomalies. For example, Flipside Crypto deployed an AI agent trained on months of validator metrics; it autonomously detected a performance drop (tracing it to a software update) and compiled an evidence report before operators noticed, ultimately saving $3.8M in stake. This demonstrates how learning-based agents can outpace static dashboards and threshold alerts.
AI Agent Frameworks
Infrastructure projects like Arc provide a containerized execution environment for Solana AI agents. Arc's “Rig” framework (Rust-based) abstracts LLM providers and vector stores, letting developers build agents that natively interact with on-chain data. The containerized design isolates each agent, simplifying deployment and security. Arc aims to let agents execute autonomous on-chain operations while enforcing boundaries.
Transaction Firewalls
Middleware can govern AI-controlled transactions. Sentinel (ClawdieLabs) is a Rust “firewall” between an agent's logic and its wallet. It intercepts proposed transactions, simulates them via Helius, and applies a multi-stage policy engine (whitelisting, SOL caps, rate limits) before signing. Suspicious transactions trigger a human-in-the-loop override via a dashboard, preventing unintended exploits. Such systems blend automated checks with manual review to align AI actions with policy.
Reinforcement Learning (RL) can also secure the protocol itself. A 2025 study designed an adaptive consensus using a graph-based PPO agent: it monitors validator behavior and dynamically adjusts validation rules to thwart attacks. Under simulated Sybil/node-collapse attacks, the RL agent maintained throughput and detected malicious nodes with high true-positive rates (DR>0.90, FPR<0.10), reducing latency ~34% versus baseline. Such work shows RL can enable protocol-level adaptation — tuning stake rules or penalties — in response to anomalies.
Under simulated Sybil attacks, the RL-based consensus agent maintained DR>0.90 and FPR<0.10, reducing latency ~34% versus a static baseline.
Human-in-the-Loop Verification
Even with AI, human oversight remains critical. As noted above, Sentinel includes a manual approval step for flagged transactions. Similarly, any AI-generated audit report from an LLM typically requires human vetting. In practice, developers spend minutes to hours reviewing each flagged issue. Industrial static analysis alarms often have >75% false positives, necessitating second-round human review. Workflows blend AI suggestions with expert audits.
Some tools allow developers to encode human-specified invariants for formal proofs. OtterSec introduced a framework for Anchor programs where developers write correctness properties, and Kani (Rust verifier) formally checks them via bounded model checking. This ensures guaranteed correctness for critical conditions (e.g. access checks in a multisig). The developer specifies what “should” hold — a high-level invariant — and the tool auto-generates proof harnesses. While not AI per se, this human-driven formalism provides correctness guarantees that AI tools can't match.
Every LLM suggestion is backed by traceable context, and human engineers only approve changes once confident.
New workflows treat LLMs as part of an iterative pipeline, not one-off queries. Kawasaki (2026) describes an editor-integrated audit flow: first an LLM scan (Stage A) broadly flags suspicious code; then a second LLM pass (Stage B) refines each finding into a precise, evidence-backed report. The pipeline collects structured outputs (JSON, diffs) at each stage and requires human review before applying fixes. In Stage B, findings must cite exact code lines and clarify assumptions, making them verifiable by a human or automatic checker. The key is iteration and traceability.
Calibration and False-Positive Mitigation
Balancing Recall vs Precision
A central challenge is tuning AI tools to minimize both missed bugs (false negatives) and spurious alerts. Igor Gulamov's CTFBench benchmark (Feb 2025) illustrates this balance via two metrics: Vulnerability Detection Rate (VDR, akin to recall) and Overreporting Index (OI, false positives per line). In CTFBench, each small test contract has exactly one injected flaw. An AI auditor's performance is plotted by its VDR and OI — ideal is (VDR=1.0, OI=0.0). This quantifies the trade-off: one model may catch more bugs but hallucinate more issues, another may be conservative. Using VDR–OI, developers can calibrate alerts to reach an acceptable false-positive rate without missing critical issues.
Chain-of-Verification for LLMs
To reduce “hallucinated” misreports, one can have the LLM self-verify its answers. The Chain-of-Verification (CoVe) method first has the model draft an answer, then generate its own fact-check questions and answer them independently, and finally produce a corrected response. In practice, CoVe significantly reduced incorrect assertions in LLM outputs across tasks. Applied to smart contracts, an LLM could first identify a potential bug, then ask (and answer): “Is this truly reachable? Did I misuse a variable?” — and only then finalize its report. This self-critique pipeline effectively “calibrates” the model's confidence, filtering out some false alarms.
Studies show LLMs can drastically cut static analysis noise. A Tencent study (early 2026) applied LLM-based filtering to hundreds of enterprise bug reports. A hybrid approach (LLM + static analyzer facts) eliminated ~94–98% of false positives while keeping nearly all true bugs. In other words, an LLM can learn to classify each static warning as “real” or “spurious” and discard most noise. The Tencent authors report a cost of ~$0.001–0.12 per report — acceptable compared to human hours.
Conservative Rules and Boundaries
In addition, many systems layer on simple rules or cutoffs to catch obvious false positives. Policy engines often whitelist critical on-chain programs (system token transfers, DEX routers) so AI flags outside those scopes are treated differently. Limiting maximum SOL per transaction or enforcing signature checks at runtime can pre-filter issues. These deterministic “sanity checks” complement AI reasoning and keep hallucinations from becoming action.
AI-Driven Verification Techniques
Domain-Specific Transformers
For live transaction monitoring, specialized models like BlockScan employ deep networks to spot anomalous DeFi transactions. BlockScan uses a BERT-like Transformer with custom tokenization (encoding addresses vs values) to model normal on-chain behavior. During training it learns to reconstruct normal transaction tokens, so malicious ones yield higher reconstruction error. In tests on Ethereum and Solana DeFi apps, BlockScan outperformed baselines — it was the only method that successfully detected real Solana anomalies with high accuracy and low false positives. Other tools like vanilla GPT-4 or doc2vec had recall ≈ 0 on Solana. The model is open-source, providing a foundation for runtime risk detection.
LLMs for Code Analysis
Modern generative models assist in code auditing too. For large Rust codebases, practitioners split the code into “analysis units” and iteratively use an LLM. Kawasaki's pipeline collects relevant files, attaches minimal necessary context, and queries the model in stages (screening then verification). This ensures the LLM's findings are reproducible and bounded by context. Tools like SAEL go further by fine-tuning LLMs specifically on smart contract data: SAEL fuses raw code embeddings with LLM-predicted vulnerability labels and explanation vectors in a mixture-of-experts framework. These hybrid models combine pattern recognition with the LLM's reasoning to classify potential security issues.
Formal and Symbolic Methods
In contrast to heuristics, formal approaches give proofs of correctness. Beyond Kani/Rust, tools like WACANA lift Solana programs (BPF bytecode) into intermediate form for symbolic analysis, checking all paths for missing checks. Such methods can exhaustively find counterexamples to invariants. In practice, static analysis (checked math, integer overflow) and symbolic execution (constraint solvers) complement AI by catching low-level logic errors with mathematical rigor. Developers often run these before deployment to guarantee no simple bug slips through.
Integration into CI and Monitoring Pipelines
A common pattern is to containerize analysis tools and produce structured outputs. EmergentMind notes that Solana analyzers are “modular with Dockerized deployment, normalized output (JSON), and open YAML configuration.” This means each tool — static analyzer, fuzzer, AI auditor — can run in CI (e.g. GitHub Actions), outputting machine-readable alerts.
In a CI pipeline, a project might first run unit tests and static checks, then invoke AI auditors. Upon each commit, a script could collect Rust source files, segment them into audit units (per function or module), and feed them through an LLM/agent. The pipeline would store all LLM-generated findings (as JSON) and patch suggestions, then apply fixes with human sign-off. Subsequent stages (linters, test suites) verify that any AI-proposed patches don't break functionality.
Off-chain systems continuously observe on-chain data with AI. Tools like Nansen or custom monitoring use ML to flag unusual token flows or wallet behaviors. For Solana specifically, emerging dashboards are starting to use pattern recognition to catch DeFi manipulation. Validator operators similarly use performance monitors that feed into AI anomaly detectors. In all cases, AI alerts feed into logging/alerting stacks (PagerDuty, Slack) so engineers can investigate.
Solana-Specific Tools and Case Studies
Solana's security tools often tailor to its unique model. Notable examples include: Blockworks Checked Math (static checks for integer bugs), Anchor's built-in IDL validation (reducing missing signer bugs), FuzzDelSol (eBPF fuzzing engine with taint analysis), and WACANA (WASM symbolic executor). These classical tools are increasingly augmented by ML-driven components. SAEL (LLM classifier) and Veritas (Mixture-of-Experts) use AI to detect complex patterns. EmergentMind's 2025 survey shows these tools collectively have driven the major-vulnerability rate in audited contracts down to ~0.2%.
Integrated platforms have also emerged. Código.ai offers an all-in-one Solana IDE with cloud deployment, purpose-built LLMs, and audit checks. Its models were trained on 22M+ lines of audited Solana code, allowing it to generate code and pre-audit for known risks. Users report that Código can produce a working Vault contract in minutes, with built-in checks for rent-exemption and access controls. This reflects a trend: AI platforms tuned to Solana — rather than generic GPT — can bake in protocol knowledge and reduce obvious errors.
Run AI audits continuously (in CI or pre-commit) for fast feedback, but schedule periodic human audits or formal checks for guarantees. AI-only reports explicitly warn about false positives and require follow-up.
In practice, formal audits and AI reports are complementary. Halborn's March 2025 audit of a Solana DeFi protocol (Huma Finance) shows the current gold standard remains human-led review supplemented by tools. Conversely, AI-only reports (e.g. from Hashex or AuditHub) often emphasize that they should not be solely trusted — they explicitly warn about false positives. The emerging consensus is a hybrid: run AI audits continuously for fast feedback, but schedule periodic human audits or formal checks for guarantees.
Solana development is integrating AI at multiple layers — from on-chain agent orchestration to off-chain code auditing. Best practices involve multi-stage verification, quantitative calibration, and human oversight.
A two-stage LLM pipeline (broad scan → evidence-backed verification) outperforms one-shot queries. Every finding must cite exact code lines and clarify assumptions.
Use VDR and OI metrics to understand the recall/precision tradeoff of each AI auditor. Hybrid LLM + static analysis can eliminate 94–98% of false positives while keeping nearly all true bugs.
Industrial static analysis alarms often exceed 75% false positives. AI audit reports require human vetting. Workflows that blend AI suggestions with expert review consistently outperform either alone.
Tools like BlockScan and Código, trained specifically on Solana data, significantly outperform vanilla GPT-4 on Solana anomaly detection. Generic models had recall ≈ 0 on Solana DeFi.
