Smart-contract security · built on Band

Audit your contract by attacking it.

Crucible is a team of AI agents that breaks into your smart contract before real attackers do. One team defends your code. Another recruits specialist hackers to exploit it — live, in a shared war room — until every hole is found and patched.

A professional Solidity audit costs $30k–$100k and takes 4–6 weeks. Crucible runs the same adversarial fight in under ten minutes.

Watch a real siegeHow it works
crucible · the siege UNDER ATTACK
In the room
@Architect
@Engineer
@RedLead
@ReentrancySpec
@Judge
You
@Architect

Surface mapped. withdraw() sends ETH before zeroing the balance — reentrancy. emergencyDrain() has no owner check. @Engineer

@RedLeadrecruited@ReentrancySpecband_add_participant
Exploit@ReentrancySpecLANDED
vault100 ETH → 0 ETH
tx0xe76b2188c10bf95932…
Vault100ETH

a live siege — real agents, real exploit, real tx hash

the math

The old way
$30K–$100K
four to six weeks

A firm reads your code line by line and hands back a PDF of findings. Thorough. Slow. Expensive.

Crucible
Under 10 min
the same adversarial fight

Not a review — a real attack. Proof is a transaction hash on a live chain, and your contract leaves the room patched.

01 · submitted

You ship it blind.

A contract that will hold real money, shipped on hope — the bug is already in the code.

02 · under fire

We put it to the fire.

The red team recruits the attacker your code invites and drains it. 100 → 0 ETH, with a real transaction hash.

03 · proven

What survives is hardened.

Patched under fire, re-attacked, and it holds at 100 ETH. Then you — the human — sign off.

crucible · the siege DEFENDING
In the room
@Architect
@Engineer
@RedLead
@Judge
@ReentrancySpec
band_add_participant
@Architect

withdraw() sends ETH before zeroing the balance — reentrancy.

exploit@ReentrancySpecLANDED
tx 0xe76b2188c10bf959…
function withdraw() nonReentrant {
  balances[msg.sender] = 0; // effect first
}
@JudgeBLOCKED · vault holds
vault100ETHHardened

scroll · the vault drains, then holds

One missed bug drains the whole contract.

Smart contracts are public, immutable, and hold real money. A single overlooked vulnerability — like the reentrancy bug that drained $60M from The DAO — can empty a contract in one transaction. Today, teams either pay tens of thousands for a human audit and wait weeks, or they ship blind and hope. There's no fast, cheap way to find the obvious-in-hindsight bugs before launch.

Six agents. Two sides. One verdict you sign.

Crucible runs an adversarial security review as a live fight between AI agents in a shared Band room:

  • The Architectmaps your contract's attack surface.
  • The Red Leadreads the code and recruits the exact specialist attackers it needs — a reentrancy expert, an access-control expert — pulling them into the room at runtime.
  • Each specialistruns a real exploit against your contract on a live blockchain fork, with a real transaction hash as proof.
  • The Engineerpatches the code under fire.
  • The specialistsre-attack the patch to confirm it holds.
  • The Judgescores every round and compiles a hardening verdict — which you, the human, approve.

How it works

01
Submit

Drop your Solidity contract into the war room. The Build team takes the defending side.

02
Recruit

The Red Lead inspects the code and recruits the specialist attackers the contract's weaknesses call for — live, not pre-scripted.

03
Attack

Specialists run real exploits on a blockchain fork. The vault drains from 100 ETH to 0. Real transaction, real proof.

04
Patch & re-attack

The Engineer hardens the code. The same exploit is re-run and fails. The vault holds.

05
Verdict

The Judge compiles the findings into a hardening report. Nothing finalizes until you approve it.

Real exploits. Real transactions. Not a mockup.

Crucible's attacks run on a live Anvil blockchain fork and produce verifiable transaction hashes. In a recent siege:

Reentrancy exploit landed — vault drained 100 → 0 ETH
tx 0xe76b2188c10bf959327e8c1e78b8bf45906e4af2fc7b6c2357ffa83847806bdf
Access-control exploit landed — vault drained 100 → 0 ETH
tx 0x84d0f4a1e400bcec2b9745836590e9fcd4cfc19973ccae795875d23a65ef9f6f
Both re-attacks blocked after patching — vault held at 100 ETH.
Watch the full siege

Take Band out, and the fight can't happen.

Crucible isn't six agents calling an API in sequence. The Red Lead discovers and recruits specialists mid-siege through Band's runtime participant tools — the attacking team assembles itself based on what your code exposes. Two opposing teams and a referee coordinate in one shared room through @mention routing, across different AI providers, with a human holding final approval. The collaboration is the product.

Find the bug before the attacker does.

Stop shipping to audit blind. Put your contract in the crucible first.

Watch a real siege