ArkheionX LOCAL REVIEW INFRASTRUCTURE Source

Bug bounty

A triage and hypothesis workbench, not an exploit finder.

ArkheionX helps a bounty hunter decide where to look first and what to test by hand. It does not confirm vulnerabilities, assign final severity, run exploits, or submit reports. A HIGH review priority is a prompt for human attention, never a finding.

Safe command flow

Run locally on an in-scope repo.

arkheionx review-map .
arkheionx value-paths .
arkheionx assumptions .
arkheionx test-gap-map .
arkheionx proof-plan .
?

Where is value moving?

Value paths show where value enters, moves, and exits.

?

Which paths are least tested?

Test gaps mark value-sensitive functions with no matching local test.

?

Which assumptions matter?

Each path lists the trust it depends on — your manual review angle.

?

What should I review first?

The ranked "inspect first" list is review order, not severity.

?

What proof should I try?

Proof suggestions outline a local Foundry test you fill in by hand.

Gap → hypothesis → test

Turn a test gap into a manual proof idea.

Test gap   Vault.withdraw   Source  src/Vault.sol:63

Hypothesis  Can value leave beyond the caller's entitlement?
Local test  Deposit, then attempt an oversized or repeated exit;
            assert the accounting invariant still holds.
!

Authorized targets only

Run only on code you own or are authorized to review under a published scope. ArkheionX never touches live systems, but staying in scope is your responsibility.

!

Validate before you submit

Independently confirm impact. Do not submit ArkheionX output as a vulnerability by itself — a test gap is not evidence of a bug.

!

No live attacks

Local and static only: no RPC, no live-chain calls, no exploit automation. The security judgment stays yours.

Scope-aware contest triage (v7)

Start from the written scope, not a vague prompt.

arkheionx scope-pack . --scope-file scope.md --out .arkheionx/scope-pack
arkheionx evidence-judge . --scope-file scope.md
arkheionx report-filter . --scope-file scope.md

Boundary

ArkheionX organizes context; it does not decide.

It does not confirm vulnerabilities, assign final severity, or prove impact. A scope task is a planning artifact and a report candidate is not final triage. Keep private scope notes in local, gitignored files only. Read the full guide in the repository's docs/BUG_BOUNTY_WORKFLOW.md and docs/V7_WORKFLOW.md.

Read the safety model