← back to lessons

Audit-Saturation Skill - Cross-Target Validation Lessons

Cross-target validation of ~/bounty/skills/audit-saturation-pre-check/check.py outside its in-domain calibration anchor (Modular Account V2). Banked from Cycle 149 (2026-05-18).

Targets validated against

Target Platform Payout Audits_count Prior_findings Audit_age Verdict (Skill output) Score
Base Azul Immunefi $250K 5 0 27d PROCEED-WITH-CAUTION 0.60
Firedancer V1 Immunefi $1M 0 0 n/a PROCEED 0.00
K2 Code4rena $135K 0 0 n/a PROCEED 0.00

All 3 ran cleanly via CLI. No code modification needed; the --audits-count override path correctly handled the no-local-audits-dir case for all 3.

Lessons banked

Lesson 1: Verdict-label drift between Skill and brief vocabulary

The brief used "PROCEED-DEEP" as the highest-priority verdict; the Skill emits "PROCEED" for the analogous case (residual audit window wide-open). Briefs that paraphrase Skill verdict labels cost the executor ~3 min of mapping work and increase risk of mis-rank.

Banked methodology rule: any cycle brief that invokes a Skill should quote the Skill's verdict labels VERBATIM. Use PROCEED / PROCEED-WITH-CAUTION / REGRESSION-HUNT / LEARN-MODE-THEN-WALK / UNKNOWN-MISSING-DATA exactly.

Lesson 2: Skill needs --data-confidence flag (v0.3 enhancement)

PROCEED 0.00 with 0 audits / 0 prior_findings is ambiguous. It could mean: - HIGH confidence: target is genuinely fresh and unaudited (residual window wide-open, real go-deeper signal) - MEDIUM confidence: data was scraped from the program page but audits / findings are gated to participants - LOW confidence: we have no data and inferred zeros

Without a confidence dimension, downstream ranking treats all PROCEED 0.00 identically. In Cycle 149's ranking, Firedancer + K2 both scored PROCEED 0.00 but with different underlying data quality (Firedancer has GitHub access + 636k LOC visible; K2 has scope gated until registration). The Skill currently cannot encode this distinction.

Proposed v0.3 enhancement: add --data-confidence {HIGH,MEDIUM,LOW} flag. Output includes the confidence in the extras dict. Downstream rankers can break ties on confidence when verdict + score are equal.

Schedule: per the 24-Hour Implementation Rule, this v0.3 enhancement enters the next 2 cycles either as standalone or as a sibling to Cycle 150.

Lesson 3: Coverage-advantage dominates verdict-priority on small candidate sets

When the candidate pool is small (3 targets) AND all candidates cluster in the lower-priority tier (PROCEED + PROCEED-WITH-CAUTION, none in saturated tier), the verdict score does not provide enough resolution to rank. Coverage advantage becomes the dominant tiebreaker.

Banked methodology rule: ranking inputs are (verdict, score, max_payout, coverage_advantage). Coverage advantage is a HUMAN judgment (not encoded in Skill) about how much our prior cycle work transfers to the target. In Cycle 149: Modular Account V2 arc (Cycles 141-147) gives STRONG transfer to ERC-4337 / ERC-6900 / EIP-7702 targets, MEDIUM to L2 multiproof / TEE targets (Base Azul), VERY LOW to Solana validator (Firedancer) or Stellar (K2) targets.

When verdicts are tied or close, coverage advantage breaks ties. Base Azul (PROCEED-WITH-CAUTION + MEDIUM coverage) wins over Firedancer (PROCEED + VERY LOW coverage + $1M cap) because signal-yield-per-hour favors the in-domain target.

Lesson 4: Audit-comp calendar gap weeks happen

On 2026-05-18, Cantina + Sherlock both had ZERO live competitions. Code4rena had 1 (K2, non-EVM). Only Immunefi had 2 live EVM-relevant audit-comps.

Banked methodology rule: the audit-comp platform calendar is not continuous. A given week may have 0-3 LIVE EVM-relevant competitions across all platforms. Watchers (EYE 12 Cantina, EYE 14 Cantina BB, EYE 19 Immunefi, EYE 23 Bugcrowd) must surface gap-weeks without flagging them as anomalies.

When all platforms are dry, the operator's options are: - Pivot to private bounty programs (HackerOne, Bugcrowd, YesWeHack) on EVM targets - Pivot to Immunefi long-running bounties (always-on, no contest deadline) - Take a methodology / Skill enhancement cycle (like this one) - Run Phase 1.5.8 saturation drains on already-discovered targets

Lesson 5: EYE 12 sqlite query is faster than WebFetch for state-check

bounty-scope-index.db.cantina_contests query returned ground-truth Cantina state in <2 sec. WebFetch on cantina.xyz/competitions and /api/v0/competitions took ~5-10 sec each.

Banked methodology rule: for already-watched platforms (EYE 12 Cantina, EYE 14 Cantina BB, EYE 19 Immunefi, EYE 23 Bugcrowd), prefer local sqlite query over WebFetch. WebFetch is the fallback for platforms not under watch (Code4rena, Hats Finance, Sherlock pages that don't return useful JSON).

Cross-cycle compounding signal

This file establishes the cross-target validation tradition for the audit-saturation Skill. Future cycles validating it against fresh targets should APPEND a row to the targets table and a Lesson section if a new lesson surfaces.

Once the Skill has been validated against 5+ out-of-domain targets, the methodology v0.3 enhancements can be batched into a single Skill-version-bump cycle.

Sign-off

Cycle 149 cross-target validation, Babakizo.

Generated 2026-07-02 13:15:05 UTC | auto-sync /15min