████▄ ██ ██ █████▄ ▄████▄
██ ██ ██ ██ ██▄▄██▄ ██ ██
████▀ ▀████▀ ██ ██ ▀████▀
DURO tells you if a smart-contract issue is actually exploitable — not just “maybe vulnerable.”
If you run audits, bug bounties, or protocol security, DURO helps you move from:
- vague finding ➜ to
- reproducible proof on forked state.
Most tools say: "this might be risky."
DURO says one of four things after simulation:
- ✅ CONFIRMED (exploit worked)
- ❌ NOT_REPRODUCIBLE (didn’t work)
⚠️ INCONCLUSIVE (not enough signal)- 🛠️ INFRA_FAILED (environment issue)
That makes triage faster and reporting cleaner.
- Smart contract auditors
- DeFi security engineers
- Bug bounty / offensive security teams
- Protocol teams validating real exploitability
- Non-technical users looking for a one-click scanner
- Unauthorized target testing
duro init
duro run scenarios/templates/access-control.yaml --llm-provider mock
duro show <RUN_ID>You can also run the scripted demo:
bash scripts/demo_30s.shOptional: add an asciinema/GIF at docs/assets/duro-30s-demo.gif and embed:
duro init
duro doctor
duro scenario lint scenarios/oracle-manipulation-demo.yaml
duro run scenarios/oracle-manipulation-demo.yaml --llm-provider mock
duro report export <RUN_ID>Artifacts under runs/<run_id>/ and reports/<run_id>/:
result.jsonforge.stdout.logforge.stderr.logtrace.summary.log- generated harness (
.t.sol) safety.jsontrace.summary.logsummary.md/summary.jsonmanifest.sha256(integrity)
duro init
duro doctor [--skip-rpc] [--json]
duro discover . --out .duro/findings.discovery.json
duro synthesize --findings .duro/findings.discovery.json --out-dir scenarios/generated
duro audit-run . --mode fast --confidence-threshold 0.60 --out-prefix .duro/audit
duro audit --from .duro/findings.discovery.json --out-prefix .duro/fused-audit --llm-provider mock --max-runs 20
duro audit --from .duro/findings.discovery.json --fail-on confirmed:high,confirmed:critical --json
duro audit --from .duro/findings.discovery.json --output-contract
duro run <scenario.yaml> [--llm-provider ... --llm-model ... --llm-fallback ...]
duro rerun-check <scenario.yaml> --n 3 [--llm-provider ...]
duro rerun-check <scenario.yaml> --n 5 --min-majority-ratio 0.80
duro show <run_id>
duro report export <run_id>
duro verify <run_id>
duro verify --all
duro diff <run_a> <run_b>
duro guard <run_id>
duro ls
duro llm list-providers
duro llm test --provider <name> [--model ...] [--fallback ...] [--json]
duro llm statsImplemented:
- mock
- openai
- gemini
- ollama
- anthropic
- openrouter
Env vars:
OPENAI_API_KEYANTHROPIC_API_KEYOPENROUTER_API_KEYOPENROUTER_SITE_URL(optional)OPENROUTER_APP_NAME(optional)OLLAMA_HOST(defaulthttp://127.0.0.1:11434)GEMINI_API_KEYorGOOGLE_API_KEY
In scenarios/templates/:
- access-control
- oracle-manipulation
- read-only-reentrancy
- signature-approval
- upgradeable-proxy
- governance-attack
- Safety policy gate for generated steps
- Confidence scoring v2 (classification + safety + invariant pass ratio + historical consistency)
- Reason-code classification
- Provider fallback + telemetry
- Integrity manifest + verification
- Trace summary artifact extraction (
trace.summary.log) - Invariant evaluation scaffold (
invariantsin scenario) - CI replay workflows:
replay-smoke(no RPC dependency)replay-public-rpc(usesMAINNET_RPC_URLsecret)
- Python 3.11+
- Foundry (
forge,anvil)
curl -L https://foundry.paradigm.xyz | bash
foundryupgit clone https://github.com/0xdefence/duro-cli.git
cd duro-cli
pip install -e .Authorized testing only. Don’t use DURO on systems/contracts without explicit permission.
- Hybrid workflow:
docs/HYBRID_AUDIT_WORKFLOW.md - Discovery schema:
docs/findings.discovery.schema.json - Audit output contract v1 schema:
docs/contracts/duro.audit.v1.schema.json - Audit output contract v1 example:
docs/contracts/duro.audit.v1.example.json - Rulepack references:
duro/references/ - Roadmap:
docs/DURO_RELEASE_PLAN.md - Issue backlog:
docs/GITHUB_ISSUES_P0_P1.md - Board:
docs/PROJECT_BOARD.md - Release notes:
docs/RELEASE_NOTES_v0.1.0-alpha.md - Changelog:
CHANGELOG.md
MIT