Releases: fboiero/MIESC
Release list
MIESC v6.0.0
What's Changed
No Changes.
Installation
pip install miesc==v6.0.0Docker
docker pull ghcr.io/fboiero/MIESC:v6.0.0Verification
All release artifacts are signed with Sigstore.
Verify checksums:
sha256sum -c SHA256SUMS.txtVerify signatures with cosign:
# Install cosign: https://docs.sigstore.dev/cosign/installation/
cosign verify-blob --signature miesc-v6.0.0.tar.gz.sig \
--certificate miesc-v6.0.0.tar.gz.pem \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
miesc-v6.0.0.tar.gzSee RELEASE_VERIFICATION.md for detailed instructions.
MIESC v5.4.3
MIESC v5.4.3 patch release.
Highlights:
- Fixes local analysis cache isolation for MIESC_HOME and explicit cache directories.
- Aligns public package, OpenAPI, REST/MCP contract, CI/Docker, and local helper release metadata.
- Updates Docker release-candidate handling and full-image build dependencies.
Validation:
- Local make quick-check: 5988 passed, 6 skipped.
- Local make release: wheel/sdist built, twine check passed, distribution content validation passed.
- GitHub Actions for 55da2b3: OpenSSF Scorecard, MIESC CI/CD Pipeline, and Docker Build and Publish passed.
MIESC v5.4.2
MIESC v5.4.2 closes the v5.4 release surface on the final commit after the SmartBugs benchmark refresh and release documentation alignment.\n\nHighlights:\n- Release metadata, CLI-visible version strings, OpenAPI metadata, Docker examples, and verification instructions aligned to v5.4.2.\n- Includes the SmartBugs benchmark refresh published after v5.4.1.\n- Distribution artifacts were rebuilt and checked with make build and make build-check.\n\nValidation:\n- uv run miesc --version -> MIESC version 5.4.2\n- uv run pytest tests/test_distribution_contents.py tests/test_doctor_command.py tests/test_spec_generator.py tests/test_report_quality.py -q -> 26 passed\n- make build-check -> passed
MIESC v5.3.0 — From Detection to Remediation
🔧 Full Pipeline: scan → fix → verify → compliance
miesc scan contract.sol -o results.json # Detect + intelligence
miesc fix results.json -c contract.sol -o fixed.sol # Auto-patch
miesc verify fixed.sol --tool smtchecker # Prove fix works
miesc compliance results.json --standard mica # Regulatory mappingNew commands
miesc fix — auto-generates patched Solidity. Adds nonReentrant, onlyOwner, wraps calls in require(success). Verified: withdraw() → withdraw() nonReentrant.
miesc compliance — maps to 12 standards: ISO 27001, NIST CSF, OWASP, CWE, SWC, MITRE, MiCA Art.11, DORA Art.9.
miesc scan --diff HEAD~1 — PR-level scanning for CI pipelines.
Bridge exploit patterns ($1.7B+)
7 patterns from real incidents: Wormhole replay ($326M), Ronin signatures ($624M), BNB hash collision ($586M), Nomad origin validation ($190M).
Also includes v5.2.0 Intelligence Engine
15 capabilities, ~30% noise reduction, 77 multi-chain vuln types, 10 fix-code templates, 10 exploit scenarios.
Install
pip install --upgrade miesc==5.3.0Stats
5,978 tests | 87% coverage | 20 CLI commands | 77 multi-chain vuln types
MIESC v5.2.0 — Intelligence Engine
🧠 Intelligence Engine — 15 Capabilities
MIESC v5.2.0 ships a post-detection intelligence engine that transforms raw tool output into actionable, deduplicated findings with confidence scores, fix code, and exploit scenarios.
What changes for users
Before (v5.1.4):
$ miesc scan contract.sol
HIGH: 1, LOW: 6, TOTAL: 7
After (v5.2.0):
$ miesc scan contract.sol --verbose
HIGH: 1 (conf=98%), MEDIUM: 2, TOTAL: 3
1. High reentrancy-eth conf=98%
Category: reentrancy | Tools: slither
Fix: Apply CEI pattern + ReentrancyGuard
[20 lines of copy-pasteable Solidity fix code]
[6-step exploit scenario]
~30% noise reduction without losing recall. Every finding carries:
- Bayesian confidence score (multi-tool agreement)
- Copy-pasteable Solidity fix code (10 categories)
- Step-by-step exploit scenario (10 categories)
- Canonical category for consistent triage
Multi-chain expansion (42 → 77 vuln types)
- Stellar/Soroban: +7 (flash loan, i128 overflow, unbounded loop)
- Solana/Anchor: +7 (closure reentrancy, discriminator, CPI return)
- Move/Sui/Aptos: +7 (shared object race, dynamic field, package upgrade)
- EVM intelligence: +7 (tx.origin, hardcoded gas, storage collision, DoS)
8 production bugs fixed
Including the critical stale-output bug where Slither silently returned findings from a previous contract.
5913 tests, 87% coverage
Install
pip install --upgrade miesc==5.2.0Roadmap to v5.3
See ROADMAP_v5.2_v5.3.md for the path to automated remediation (miesc fix), PR-diff scanning, and cross-chain bridge patterns.
MIESC v5.1.9 — CRITICAL: Fix stale Slither/Aderyn output
⚠️ Critical Fix — Upgrade Immediately
Slither adapter was silently returning 0 findings on contracts with known reentrancy vulnerabilities.
A contract with msg.sender.call{value: amount} before state update (textbook SWC-107) was reported as "No issues found" because the adapter read /tmp/slither_output.json from a previous analysis on a different contract.
Before (broken)
$ miesc scan ReentrancyVulnerable.sol
No issues found! ← WRONG: Slither detects HIGH reentrancy-eth
After (fixed)
$ miesc scan ReentrancyVulnerable.sol
HIGH: 2
LOW: 3
TOTAL: 5
Found 2 critical/high severity issues!
Root cause
The output file /tmp/slither_output.json was never deleted between runs. A successful scan of ContractA left its findings in the file. A subsequent scan of ContractB could read ContractA's stale findings if the subprocess timing aligned.
Fix
Delete the output file before running subprocess.run. Applied to both Slither and Aderyn adapters.
Also in this release
- First-run UX: suggests
miesc doctorwhen all tools fail - README: downloads badge + Python versions badge
- 20 GitHub topics for search discovery
- Docker workflow: multiarch/full now builds on tag pushes
Install
pip install --upgrade miescMIESC v5.1.8 — HOTFIX: rich added to base deps
⚠️ Critical Hotfix
`pip install miesc==5.1.7` produced a broken CLI. Any command using rich console output crashed with:
```
AttributeError: 'NoneType' object has no attribute 'print'
```
Affected: `analyze`, `report`, `audit`, `verify`, and several other commands (137 console.print sites in total).
Fix (defense-in-depth)
- `rich>=13.0.0` is now a hard dependency in `pyproject.toml`.
- `_PlainConsole` fallback in `miesc/cli/utils.py` — even if rich is missing for any reason, console.print calls strip markup and degrade to plain print() instead of crashing.
Discovery
Found during the post-release smoke test against the README Quick Start:
```bash
python -m venv /tmp/miesc_test
/tmp/miesc_test/bin/pip install miesc==5.1.7
/tmp/miesc_test/bin/miesc analyze contract.cairo # crashed
```
This is the exact scenario every new user hits first.
Install
```bash
pip install --upgrade miesc==5.1.8
```
v5.1.7 is left on PyPI for reproducibility but all users should upgrade to 5.1.8 immediately.
Tests
5,332 passed, 0 regressions.
MIESC v5.1.7 — Three Gates Closed + 5 Bug Fixes
Highlights
v5.1.7 Gates (closing the v5.1.6 benchmark report's three open items)
- Gate 2: Taxonomy normalization —
CanonicalCategoryenum + 70+ direct mappings unblocks DeepAuditAgent Phase-3 branches on real-world tool output. Rekt benchmarkdefi_confirmed0 → 19. - Gate 1: Victim-side corpus — Full SmartBugs-curated (28 → 143 contracts). FP dataset 122 → 934 samples (3 → 67 TPs).
- Gate 3: LLM consensus on Rekt — 80 HIGH+CRITICAL findings → 4 needs_manual_review (5% triage queue density). BonqDAO oracle: 4/4 disagreement.
Five real bugs found by the new test infrastructure
- LLM
locationfield rejected non-dict shapes → SmartLLM returned 0 findings (67dd48b) load_adaptersshim missing → WARNING per analyze() + Phase 3 silently degraded (d00bcbc)- SlitherAdapter stale-cache → wrong contract findings on missing path (
cdf81c7) - AderynAdapter + MythrilAdapter same pattern (
7cbc04c) - SecureFormatter missed
OPENAI_API_KEY=sk-...env-var pattern (3bb2028)
Test infrastructure (+321 tests vs v5.1.6)
10 new test files — security regressions, scalability bounds, functionality contracts, adapter contracts, taxonomy module. Total: 5,306 passing, 5 skipped, 0 regressions.
Documentation
docs/PRE_RELEASE_AUDIT_v5.1.7.md— full pre-release audit (quality + security + OSS + alignment)benchmarks/results/v5.1.7_gates_report.md— per-contract LLM consensus breakdownpaper/miesc-paper.tex— updated with Cairo 1.1.0, multi-LLM consensus, formal verification bridge
Install
pip install --upgrade miesc==5.1.7docker pull ghcr.io/fboiero/miesc:5.1.7Tests
5,306 passed, 5 skipped, 0 regressions.
Full changelog
See CHANGELOG.md for the comprehensive entry.
MIESC v5.1.6
Highlights
Bloque 3 — DeepAuditAgent deep investigation
- Finding-driven tool triggering now REAL (not labels): oracle findings invoke DeFiPatternDetector, access-control findings generate Certora CVL rules that pipe directly into `miesc verify`.
- Multi-LLM consensus on CRITICAL findings: primary model + verification-use-case model are compared. Confidence bounded adjustments: +0.20 on agreement, -0.30 on joint rejection, -0.10 + `needs_manual_review=True` on disagreement.
Bloque 4 — Enriched RAG patterns
- `VulnerabilityExample` gains `attack_steps: List[str]` and `detection_heuristic: Optional[str]`.
- Top 8 patterns enriched with grep-level detection recipes and numbered exploitation steps (SWC-107/105/106/104/115/101 + Euler 2023 + Curve/Vyper 2023).
- RAG context block now surfaces these fields to the LLM.
Polish
- `miesc verify --tool halmos` end-to-end working (foundry.toml detection, ANSI strip, no_tests status).
- GPTScan `%RAG_CONTEXT%` placeholder bug fixed.
- Few-shot real exploits added across 3 LLM adapters.
Install
```bash
pip install --upgrade miesc==5.1.6
```
Tests
4985 passed, 5 skipped. Zero regressions.
MIESC v5.1.5
Highlights
- Auditor-trained FP classifier —
src/ml/fp_ml_classifier.py, sklearn GradientBoostingClassifier with heuristic fallback. - Formal verification runner —
src/formal/spec_runner.py, executes Certora / Halmos / SMTChecker specs and normalizes results. - New CLI: `miesc verify` — closes the spec → prover loop.
- Expanded Cairo patterns (13 vuln types) — informed by real 2024-2026 Starknet exploits (zkLend, Braavos, Pragma staleness).
- Streamlit Cloud deployment guide + dynamic version in `webapp/app.py`.
Install
```bash
pip install --upgrade miesc==5.1.5
```
Tests
4948 passed, 5 skipped. See `CHANGELOG.md` for the full list of changes.