Sentinel

Sentinel is powered entirely by Google Gemini 3 Pro, leveraging its advanced reasoning and long-context capabilities to function as an autonomous security auditor for the Sui blockchain

Comment

Sentinel - AI Smart Contract Security Auditor

Inspiration

The blockchain industry has lost over $3.8 billion to smart contract exploits. As Move developers, we saw firsthand how even experienced teams ship vulnerable codeβ€”not from carelessness, but because professional security audits cost $10,000-$100,000+ and take weeks or months.

We asked: What if every developer could have an AI security expert reviewing their code instantly, for free?

That question became Sentinel.

What it does

Sentinel is an AI-powered security auditor for Sui Move smart contracts, leveraging Google Gemini 2.5 Flash for deep semantic analysis.

Core Features:

  • πŸ” Instant Vulnerability Detection - Identifies capability leaks, access control flaws, timestamp manipulation, and Move-specific bugs
  • πŸ“Š Security Scoring - Quantified 0-100 scores with severity-based calculations
  • πŸ“ˆ Visual Attack Diagrams - AI-generated Mermaid.js sequence diagrams showing exactly how exploits work
  • πŸ› οΈ Automated Fix Suggestions - Production-ready code fixes for each vulnerability
  • πŸ’Ύ Export & History - Download reports as JSON, track analysis history locally

How we built it

Tech Stack: | Layer | Technology | |-------|------------| | Frontend | React 18, TypeScript, TailwindCSS 4, Vite | | AI Engine | Google Gemini 2.5 Flash API | | Visualization | Mermaid.js (AI-generated diagrams) | | Backend | Vercel Serverless Functions | | Design | Custom Sui.io-inspired sharp-edge aesthetic |

Gemini Integration:

  1. Semantic Analysis - Full contract sent with Move vulnerability knowledge base. Gemini reasons about capability flows, ownership patterns, and state transitions.
  2. Visual Generation - Gemini outputs Mermaid sequence diagrams showing attack vectors step-by-step.
  3. Code Remediation - AI generates fixed code applying Move security best practices.

Scoring Formula: $$\text{Score} = 100 - \sum_{v \in \text{vulnerabilities}} \text{penalty}(v)$$

Where Critical = -60, High = -25, Medium = -10, Low = -5.

Challenges we ran into

1. JSON Truncation
Complex contracts caused Gemini to run out of tokens mid-JSON, producing parse errors. We fixed this with strict token limits (3000), max 2 vulnerabilities per response, and a regex fallback parser.

2. Inconsistent Scoring
Same contract scored 40 then 75 on repeat runs. Solution: dropped temperature to 0.1 and added explicit scoring rubrics in the prompt.

3. False Positives
Gemini flagged "admin holds capability" as a bugβ€”but that's intended design. We added "False Positive Prevention" rules distinguishing centralization from actual vulnerabilities.

4. Mermaid Rendering Errors
AI-generated diagrams contained invalid characters. Built frontend sanitization to strip ::, wrap labels, and fix syntax.

Accomplishments that we're proud of

  • βœ… Production-Ready App - Fully functional, deployed on Vercel with 0 build errors
  • βœ… Sub-30-Second Analysis - Complex contracts analyzed in under 30 seconds
  • βœ… Move-Specific Knowledge Base - Custom vulnerability patterns for Sui (capability leaks, OTW misuse, shared object races)
  • βœ… Beautiful UI - Authentic Sui.io design language with 3D holographic hero section
  • βœ… Deterministic Scoring - Reproducible security scores across runs

What we learned

  • Gemini is a Reasoning Engine - It doesn't pattern-match; it genuinely traces capability flows and identifies novel attack vectors
  • Prompt Engineering is Critical - Dozens of iterations to achieve consistent, parseable JSON output
  • Move Security is Unique - Capability-based access control requires different detection patterns than Solidity's msg.sender checks
  • Token Budget Management - Forcing conciseness (max characters, max vulnerabilities) prevents truncation

What's next for Sentinel

  • 🌐 Multi-Blockchain Expansion - Extend support to Solidity (Ethereum/EVM), Rust (Solana), and Cairo (Starknet)
  • πŸ”„ CI/CD Integration - GitHub Action for automated security checks on every commit
  • πŸ“ Multi-Contract Analysis - Analyze entire protocols, not just single modules
  • πŸ“Š Historical Tracking - Compare security scores across contract versions
  • 🌍 Community Knowledge Base - Crowdsourced vulnerability patterns from the security community

Built With

Share this project:

Updates