Skip to content

Releases: fboiero/MIESC

MIESC v6.0.0

Choose a tag to compare

@fboiero fboiero released this 13 Jul 02:43

What's Changed

No Changes.

Installation

pip install miesc==v6.0.0

Docker

docker pull ghcr.io/fboiero/MIESC:v6.0.0

Verification

All release artifacts are signed with Sigstore.

Verify checksums:

sha256sum -c SHA256SUMS.txt

Verify signatures with cosign:

# Install cosign: https://docs.sigstore.dev/cosign/installation/
cosign verify-blob --signature miesc-v6.0.0.tar.gz.sig \
  --certificate miesc-v6.0.0.tar.gz.pem \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  miesc-v6.0.0.tar.gz

See RELEASE_VERIFICATION.md for detailed instructions.

MIESC v5.4.3

Choose a tag to compare

@fboiero fboiero released this 17 May 11:37

MIESC v5.4.3 patch release.

Highlights:

  • Fixes local analysis cache isolation for MIESC_HOME and explicit cache directories.
  • Aligns public package, OpenAPI, REST/MCP contract, CI/Docker, and local helper release metadata.
  • Updates Docker release-candidate handling and full-image build dependencies.

Validation:

  • Local make quick-check: 5988 passed, 6 skipped.
  • Local make release: wheel/sdist built, twine check passed, distribution content validation passed.
  • GitHub Actions for 55da2b3: OpenSSF Scorecard, MIESC CI/CD Pipeline, and Docker Build and Publish passed.

MIESC v5.4.2

Choose a tag to compare

@fboiero fboiero released this 09 May 19:44

MIESC v5.4.2 closes the v5.4 release surface on the final commit after the SmartBugs benchmark refresh and release documentation alignment.\n\nHighlights:\n- Release metadata, CLI-visible version strings, OpenAPI metadata, Docker examples, and verification instructions aligned to v5.4.2.\n- Includes the SmartBugs benchmark refresh published after v5.4.1.\n- Distribution artifacts were rebuilt and checked with make build and make build-check.\n\nValidation:\n- uv run miesc --version -> MIESC version 5.4.2\n- uv run pytest tests/test_distribution_contents.py tests/test_doctor_command.py tests/test_spec_generator.py tests/test_report_quality.py -q -> 26 passed\n- make build-check -> passed

MIESC v5.3.0 — From Detection to Remediation

Choose a tag to compare

@fboiero fboiero released this 22 Apr 02:43

🔧 Full Pipeline: scan → fix → verify → compliance

miesc scan contract.sol -o results.json           # Detect + intelligence
miesc fix results.json -c contract.sol -o fixed.sol  # Auto-patch
miesc verify fixed.sol --tool smtchecker           # Prove fix works
miesc compliance results.json --standard mica      # Regulatory mapping

New commands

miesc fix — auto-generates patched Solidity. Adds nonReentrant, onlyOwner, wraps calls in require(success). Verified: withdraw()withdraw() nonReentrant.

miesc compliance — maps to 12 standards: ISO 27001, NIST CSF, OWASP, CWE, SWC, MITRE, MiCA Art.11, DORA Art.9.

miesc scan --diff HEAD~1 — PR-level scanning for CI pipelines.

Bridge exploit patterns ($1.7B+)

7 patterns from real incidents: Wormhole replay ($326M), Ronin signatures ($624M), BNB hash collision ($586M), Nomad origin validation ($190M).

Also includes v5.2.0 Intelligence Engine

15 capabilities, ~30% noise reduction, 77 multi-chain vuln types, 10 fix-code templates, 10 exploit scenarios.

Install

pip install --upgrade miesc==5.3.0

Stats

5,978 tests | 87% coverage | 20 CLI commands | 77 multi-chain vuln types

MIESC v5.2.0 — Intelligence Engine

Choose a tag to compare

@fboiero fboiero released this 22 Apr 02:07

🧠 Intelligence Engine — 15 Capabilities

MIESC v5.2.0 ships a post-detection intelligence engine that transforms raw tool output into actionable, deduplicated findings with confidence scores, fix code, and exploit scenarios.

What changes for users

Before (v5.1.4):

$ miesc scan contract.sol
HIGH: 1, LOW: 6, TOTAL: 7

After (v5.2.0):

$ miesc scan contract.sol --verbose
HIGH: 1 (conf=98%), MEDIUM: 2, TOTAL: 3

  1. High reentrancy-eth conf=98%
     Category: reentrancy | Tools: slither
     Fix: Apply CEI pattern + ReentrancyGuard
     [20 lines of copy-pasteable Solidity fix code]
     [6-step exploit scenario]

~30% noise reduction without losing recall. Every finding carries:

  • Bayesian confidence score (multi-tool agreement)
  • Copy-pasteable Solidity fix code (10 categories)
  • Step-by-step exploit scenario (10 categories)
  • Canonical category for consistent triage

Multi-chain expansion (42 → 77 vuln types)

  • Stellar/Soroban: +7 (flash loan, i128 overflow, unbounded loop)
  • Solana/Anchor: +7 (closure reentrancy, discriminator, CPI return)
  • Move/Sui/Aptos: +7 (shared object race, dynamic field, package upgrade)
  • EVM intelligence: +7 (tx.origin, hardcoded gas, storage collision, DoS)

8 production bugs fixed

Including the critical stale-output bug where Slither silently returned findings from a previous contract.

5913 tests, 87% coverage

Install

pip install --upgrade miesc==5.2.0

Roadmap to v5.3

See ROADMAP_v5.2_v5.3.md for the path to automated remediation (miesc fix), PR-diff scanning, and cross-chain bridge patterns.

MIESC v5.1.9 — CRITICAL: Fix stale Slither/Aderyn output

Choose a tag to compare

@fboiero fboiero released this 21 Apr 10:32

⚠️ Critical Fix — Upgrade Immediately

Slither adapter was silently returning 0 findings on contracts with known reentrancy vulnerabilities.

A contract with msg.sender.call{value: amount} before state update (textbook SWC-107) was reported as "No issues found" because the adapter read /tmp/slither_output.json from a previous analysis on a different contract.

Before (broken)

$ miesc scan ReentrancyVulnerable.sol
No issues found!          ← WRONG: Slither detects HIGH reentrancy-eth

After (fixed)

$ miesc scan ReentrancyVulnerable.sol
HIGH: 2
LOW:  3
TOTAL: 5
Found 2 critical/high severity issues!

Root cause

The output file /tmp/slither_output.json was never deleted between runs. A successful scan of ContractA left its findings in the file. A subsequent scan of ContractB could read ContractA's stale findings if the subprocess timing aligned.

Fix

Delete the output file before running subprocess.run. Applied to both Slither and Aderyn adapters.

Also in this release

  • First-run UX: suggests miesc doctor when all tools fail
  • README: downloads badge + Python versions badge
  • 20 GitHub topics for search discovery
  • Docker workflow: multiarch/full now builds on tag pushes

Install

pip install --upgrade miesc

MIESC v5.1.8 — HOTFIX: rich added to base deps

Choose a tag to compare

@fboiero fboiero released this 13 Apr 12:10

⚠️ Critical Hotfix

`pip install miesc==5.1.7` produced a broken CLI. Any command using rich console output crashed with:

```
AttributeError: 'NoneType' object has no attribute 'print'
```

Affected: `analyze`, `report`, `audit`, `verify`, and several other commands (137 console.print sites in total).

Fix (defense-in-depth)

  1. `rich>=13.0.0` is now a hard dependency in `pyproject.toml`.
  2. `_PlainConsole` fallback in `miesc/cli/utils.py` — even if rich is missing for any reason, console.print calls strip markup and degrade to plain print() instead of crashing.

Discovery

Found during the post-release smoke test against the README Quick Start:

```bash
python -m venv /tmp/miesc_test
/tmp/miesc_test/bin/pip install miesc==5.1.7
/tmp/miesc_test/bin/miesc analyze contract.cairo # crashed
```

This is the exact scenario every new user hits first.

Install

```bash
pip install --upgrade miesc==5.1.8
```

v5.1.7 is left on PyPI for reproducibility but all users should upgrade to 5.1.8 immediately.

Tests

5,332 passed, 0 regressions.

MIESC v5.1.7 — Three Gates Closed + 5 Bug Fixes

Choose a tag to compare

@fboiero fboiero released this 13 Apr 11:28

Highlights

v5.1.7 Gates (closing the v5.1.6 benchmark report's three open items)

  • Gate 2: Taxonomy normalizationCanonicalCategory enum + 70+ direct mappings unblocks DeepAuditAgent Phase-3 branches on real-world tool output. Rekt benchmark defi_confirmed 0 → 19.
  • Gate 1: Victim-side corpus — Full SmartBugs-curated (28 → 143 contracts). FP dataset 122 → 934 samples (3 → 67 TPs).
  • Gate 3: LLM consensus on Rekt — 80 HIGH+CRITICAL findings → 4 needs_manual_review (5% triage queue density). BonqDAO oracle: 4/4 disagreement.

Five real bugs found by the new test infrastructure

  1. LLM location field rejected non-dict shapes → SmartLLM returned 0 findings (67dd48b)
  2. load_adapters shim missing → WARNING per analyze() + Phase 3 silently degraded (d00bcbc)
  3. SlitherAdapter stale-cache → wrong contract findings on missing path (cdf81c7)
  4. AderynAdapter + MythrilAdapter same pattern (7cbc04c)
  5. SecureFormatter missed OPENAI_API_KEY=sk-... env-var pattern (3bb2028)

Test infrastructure (+321 tests vs v5.1.6)

10 new test files — security regressions, scalability bounds, functionality contracts, adapter contracts, taxonomy module. Total: 5,306 passing, 5 skipped, 0 regressions.

Documentation

  • docs/PRE_RELEASE_AUDIT_v5.1.7.md — full pre-release audit (quality + security + OSS + alignment)
  • benchmarks/results/v5.1.7_gates_report.md — per-contract LLM consensus breakdown
  • paper/miesc-paper.tex — updated with Cairo 1.1.0, multi-LLM consensus, formal verification bridge

Install

pip install --upgrade miesc==5.1.7
docker pull ghcr.io/fboiero/miesc:5.1.7

Tests

5,306 passed, 5 skipped, 0 regressions.

Full changelog

See CHANGELOG.md for the comprehensive entry.

MIESC v5.1.6

Choose a tag to compare

@fboiero fboiero released this 13 Apr 00:19

Highlights

Bloque 3 — DeepAuditAgent deep investigation

  • Finding-driven tool triggering now REAL (not labels): oracle findings invoke DeFiPatternDetector, access-control findings generate Certora CVL rules that pipe directly into `miesc verify`.
  • Multi-LLM consensus on CRITICAL findings: primary model + verification-use-case model are compared. Confidence bounded adjustments: +0.20 on agreement, -0.30 on joint rejection, -0.10 + `needs_manual_review=True` on disagreement.

Bloque 4 — Enriched RAG patterns

  • `VulnerabilityExample` gains `attack_steps: List[str]` and `detection_heuristic: Optional[str]`.
  • Top 8 patterns enriched with grep-level detection recipes and numbered exploitation steps (SWC-107/105/106/104/115/101 + Euler 2023 + Curve/Vyper 2023).
  • RAG context block now surfaces these fields to the LLM.

Polish

  • `miesc verify --tool halmos` end-to-end working (foundry.toml detection, ANSI strip, no_tests status).
  • GPTScan `%RAG_CONTEXT%` placeholder bug fixed.
  • Few-shot real exploits added across 3 LLM adapters.

Install

```bash
pip install --upgrade miesc==5.1.6
```

Tests

4985 passed, 5 skipped. Zero regressions.

MIESC v5.1.5

Choose a tag to compare

@fboiero fboiero released this 12 Apr 21:33

Highlights

  • Auditor-trained FP classifiersrc/ml/fp_ml_classifier.py, sklearn GradientBoostingClassifier with heuristic fallback.
  • Formal verification runnersrc/formal/spec_runner.py, executes Certora / Halmos / SMTChecker specs and normalizes results.
  • New CLI: `miesc verify` — closes the spec → prover loop.
  • Expanded Cairo patterns (13 vuln types) — informed by real 2024-2026 Starknet exploits (zkLend, Braavos, Pragma staleness).
  • Streamlit Cloud deployment guide + dynamic version in `webapp/app.py`.

Install

```bash
pip install --upgrade miesc==5.1.5
```

Tests

4948 passed, 5 skipped. See `CHANGELOG.md` for the full list of changes.