It simulates all transactions that happen on chain and modifies them in common attack patterns. If the attack succeeds locally, a finding is created.
Riverguard is designed to detect a wide range of attacks, starting with common ones and continually expanding its capabilities.
Unfortunately not. It still finds real bugs, but we plan to open source parts at some point in the future. If you have ideas, please reach out.
We try to triage them and report to the devs, if we think the program is at risk.
That's a hard one! We preferably use the security.txt. If there is none, we'll spend some time investigating. Of course if you registered for Riverguard, we will contact you with the email address you provided.
Yes, lots. We do our best to detect false positives in our simulation engine, however due to the general nature of the attacks, it's not possible to prevent them completely.
We found and reported multiple Loss of Funds and Denial of Service bugs using Riverguard.
While monitoring solutions respond to hacks after the fact, Riverguard can detect bugs before they actually get exploited.
No. Riverguard is very good at catching a few very simple, yet common bugs. To find more complex bugs, audits are still necessary.
That's great! If Riverguard isn't finding anything, it probably means you have the basics of security covered. However, it does not imply that your code is secure. Riverguard also depends on transactions that happen on chain, so if there hasn't been much traffic to your smart contract, we unfortunately can't detect anything.
If you get lots of findings, we probably have difficulties detecting false positives and duplicate findings for your program. We constantly try to improve Riverguard on this front, so please drop us an email and we'll take a look!