Nethermind Security

In 2024, an attacker manipulated a lending protocol's oracle into valuing a single token at roughly $1.37 trillion. The oracle worked as designed. It derived the price from a DEX pool, and a flash loan moved that pool for a single block, so the reported price was the one the attacker chose. Reading a price directly from a pool is the obvious error, and most experienced teams avoid it. The harder failures are the ones that pass review. A staleness threshold set too high, so an outdated price is still accepted as current. An L2 feed that reads as fresh while the sequencer is down. A TWAP that resists cheap manipulation but lags a fast market enough to leave an exploitable window. Most teams know an oracle can be manipulated. Confirming that the safeguards already in place actually hold is harder, and it's most of what an audit does here.

Everyone's arguing about whether AI replaces security audits. We stopped arguing and ran it: one codebase, three layers, and we tracked what each one actually caught. AuditAgent (our AI scanner, runs while you build) and AgentArena (independent agents competing to break the same code) cleared the high-frequency stuff early. The bugs that show up in codebase after codebase, gone before anyone senior opened the repo. So by the time our auditors started, the easy surface was clean. They spent their time on the bugs you can't pattern-match. Things like an external call that ran before the check meant to authorize it. Design-specific, the kind you only find by reasoning through the whole system. Both camps in this fight are only half right: AI doesn't shrink the audit, it tells the audit where to look. And the audit finds what no scanner ever will. You don't pick one. You run them in order.