Skip to main content

Academic Foundations & Prior Art

This document maps each core Bastion concept to its academic foundations, identifies existing prior art, and assesses novelty for each component and the integrated system.

1. Compositional Vulnerability Reasoning

Using domain-specific vulnerability primitives and reasoning about how they chain across domains to discover composite attack paths.

Foundational Work

Attack graphs — the formal ancestor of Bastion's composition engine — were established in the early 2000s:

  • Ammann, Wijesekera, Kaushik. "Scalable, Graph-Based Network Vulnerability Analysis." ACM CCS 2002, pp. 217-224. ACM DL

    • Seminal paper on modeling how combinations of exploits break systems. Introduces exploit dependency graphs where preconditions and postconditions of individual exploits compose.
    • Relationship to Bastion: Direct theoretical ancestor. Bastion's "primitives with effects and preconditions that chain" is the same model, applied to smart contract domains with LLM reasoning replacing graph algorithms.

  • Jha, Sheyner, Wing. "Two Formal Analyses of Attack Graphs." IEEE CSFW 2002, pp. 49-63. PDF

    • Presents algorithms for generating attack graphs using model checking, plus minimization analysis for determining minimal security measures.

  • Ou, Abraham, Appel. "MulVAL: A Logic-based Network Security Analyzer." USENIX Security 2005. PDF

    • Generates logical attack graphs using Datalog, automatically composing vulnerability primitives via precondition/postcondition chaining. Accepted compositions feed back into the graph.
    • Relationship to Bastion: Directly analogous to the primitive-to-composition pipeline. MulVAL composes via logic programming; Bastion composes via LLM reasoning. MulVAL's iterative expansion matches Bastion's "accepted composites become new primitives."

Smart Contract-Specific

  • Brent, Grech, Lagouvardos, Scholz, Smaragdakis. "Ethainter: A Smart Contract Security Analyzer for Composite Vulnerabilities." ACM SIGPLAN PLDI 2020. ACM DL

    • First security analyzer specifically for composite information flow violations in smart contracts. Detects multi-transaction escalation attacks where tainted information flows across transaction boundaries. 82.5% precision. Scaled to the entire Ethereum blockchain.
    • Relationship to Bastion: Direct precedent for compositional vulnerability analysis in smart contracts, though using Datalog static analysis rather than LLM reasoning.

  • Cecchetti, Yao, Ni, Myers. "Compositional Security for Reentrant Applications." IEEE S&P 2021 (Best Paper Award). Cornell

    • Formalizes how security properties of individual modules compose when modules interact, specifically addressing smart contract reentrancy.
    • Relationship to Bastion: Provides the formal theoretical foundation that compositional security reasoning is sound — security properties of parts can be composed to reason about wholes.

LLM-Based Vulnerability Reasoning

  • "Prompt to Pwn: Automated Exploit Generation for Smart Contracts." arXiv:2508.01371, 2025. arXiv
    • Demonstrates LLMs (Gemini 2.5 Pro, GPT-4.1) can synthesize valid proof-of-concept exploits for smart contract vulnerabilities, with success driven by reasoning ability rather than contract complexity.
    • Relationship to Bastion: Validates the core premise that LLMs can reason about vulnerability composition in smart contracts.

Industry Standard

  • MITRE ATT&CK Framework + CALDERA. attack.mitre.org
    • ATT&CK defines composable tactics/techniques/procedures (TTPs). CALDERA automates adversary emulation by chaining TTPs.
    • Relationship to Bastion: Vulnerability primitives are analogous to ATT&CK techniques. LLM-based composition is analogous to CALDERA's automated chaining, generalized to smart contract domains.

Existing Patents in This Space

  • US20110126288A1 — "Automated composition of multiple component Vulnerability Flow Graphs into a system-level VFG." Google Patents
  • US7013395B1 — Attack graphs from attack templates with preconditions and acquired security attributes. Google Patents
  • US7904962B1 — Exploit dependency graphs representing all possible attack paths. Google Patents

2. Multi-Model Adversarial Review

Multiple independent LLMs run the same security analysis independently. No model reviews its own work. Disagreements signal blind spots.

Foundational Theory

  • Chen, Avizienis. "N-Version Programming: A Fault-Tolerance Approach to Reliability of Software Operation." 8th International Symposium on Fault-Tolerant Computing (FTCS), 1978, pp. 3-9. Semantic Scholar
    • The original theoretical basis for diverse redundancy: independent implementations from the same specification reduce probability of identical failures. Applied to flight control, electronic voting, zero-day detection.
    • Relationship to Bastion: Multi-model adversarial review IS N-version programming applied to LLM security analysis. "Independence of programming efforts" maps directly to "independence of model architectures." This is the strongest theoretical precedent.

Smart Contract Security

  • Yuan et al. "LLMBugScanner: Large Language Model based Smart Contract Auditing." arXiv:2512.02069, 2025. arXiv

    • Combines predictions from five independently fine-tuned models via ensemble voting. Weighted voting improves precision; permutation-optimized tie-breaking improves recall. ~19% improvement above individual baselines.
    • Relationship to Bastion: Close precedent — multiple independent models with ensemble resolution. Key difference: LLMBugScanner uses homogeneous fine-tuned variants; Bastion uses heterogeneous foundation models (Claude/Gemini/Codex), which provides greater diversity of blind spots.

  • Wei, Sun, Sun et al. "LLM-SmartAudit: Advanced Smart Contract Vulnerability Detection via LLM-Powered Multi-Agent Systems." IEEE Transactions on Software Engineering, Vol. 51, Issue 10, October 2025, pp. 2830-2846. IEEE

    • Multi-agent conversational architecture with "buffer-of-thought" mechanism where specialized agents iteratively refine assessments.

  • Ma et al. "iAudit: Combining Fine-Tuning and LLM-based Agents for Intuitive Smart Contract Auditing." IEEE/ACM ICSE 2025. arXiv

    • Ranker and Critic agents "iteratively select and debate" vulnerability causes. F1 of 91.21%.
    • Relationship to Bastion: The Ranker/Critic debate pattern mirrors adversarial review, though within a single model framework.

  • Jie, Qiu et al. "Agent4Vul: Multimodal LLM Agents for Smart Contract Vulnerability Detection." Science China Information Sciences, 2025. Springer

    • Multiple LLM-based agents (Commentator, Vectorizer) with multimodal fusion.

Industry Products

  • OpenAI Aardvark. openai.com — Multi-stage agentic security pipeline with sandboxed exploit confirmation. Found 10+ CVEs. Single-model, but validates the AI-to-human pipeline.
  • Google DeepMind CodeMender. deepmind.google — LLM-as-critic pattern where model critiques its own output. 72 security fixes upstreamed.
  • Endor Labs Multi-Agent AI SAST. endorlabs.com — Multi-agent specialization for security review. Reduced false positives by 95%.

3. Stochastic-to-Deterministic Memorialization

AI-discovered findings pass through human review, then become permanent deterministic checks (semgrep rules, tests). The deterministic governance layer only grows.

Direct Academic Support

  • Yang et al. "KNighter: Transforming Static Analysis with LLM-Synthesized Checkers." arXiv:2503.09002 / SOSP 2025. arXiv

    • Uses LLMs to generate static analyzers from historical bug patterns. Multi-stage synthesis pipeline validates checker correctness and iteratively refines to reduce false positives. Found 92 new bugs in Linux kernel (77 confirmed, 57 fixed, 30 CVEs).
    • Relationship to Bastion: The closest academic precedent. KNighter converts LLM knowledge into deterministic static analysis checkers — the same stochastic-to-deterministic direction. Key difference: KNighter operates on historical patches; Bastion operates on a live AI→human→rule pipeline.

  • "Combining Large Language Models with Static Analyzers for Code Review Generation." arXiv:2502.06633, 2025. arXiv

    • Explores integration strategies between LLM outputs and static analysis.

Industry Validation

  • Cycode. "Deterministic vs. Non-Deterministic vs. Probabilistic AI in AppSec." cycode.com

    • Argues deterministic AI belongs in enforcement roles while non-deterministic AI belongs in reasoning/triage roles. "Deploying the wrong mode in the wrong context creates real governance and compliance risk."
    • Relationship to Bastion: Direct industry validation of the architectural separation between stochastic discovery and deterministic governance.

  • Aikido Dev. "Why Determinism Is Still a Necessity in Security." aikido.dev

    • Non-deterministic AI in enforcement faces scrutiny; deterministic foundations required at the enforcement layer.

  • Cloud Security Alliance. "Deterministic AI vs. Generative AI: Why Precision Matters for Automated Security Fixes." CSA

  • KuppingerCole. "From Deterministic to Probabilistic Security: Why AI Is Foundational to Cybersecurity." KuppingerCole

4. Distributed Security Intelligence

Multiple projects run the same agent framework independently, contributing discoveries to a shared commons.

Direct Industry Analogues

  • CrowdSec. crowdsec.net — 70,000+ active users in 190+ countries sharing ~10 million signals on aggressive IPs daily. "When one user sees an attack, everyone else is protected."

    • Relationship to Bastion: The same network-effect model applied to IP reputation. Bastion applies it to smart contract vulnerability intelligence with AI agents as the discovery mechanism rather than human reporters.

  • Bugcrowd. bugcrowd.com — Platform built on "the industry's richest repository of vulnerabilities curated over a decade."

  • HackerOne. hackerone.com — Structured VDP frameworks for crowdsourced vulnerability discovery.

Academic

  • "Crowdsourcing Software Vulnerability Discovery: Models, Dimensions, and Directions." Springer LNCS, 2021. Springer
    • Formal treatment of crowdsourced vulnerability discovery models and future directions.

Standards

  • ISACs (Information Sharing and Analysis Centers) — Established framework for real-time sharing of threat data among organizations within the same sector. Bastion's commons is functionally a sector-specific ISAC for DAML/Canton, automated via agents.

How These Foundations Inform Bastion's Design

Each core concept in Bastion draws from established research:

Bastion ConceptAcademic Foundation
Compositional vulnerability reasoningAttack graphs (CCS 2002), MulVAL (USENIX 2005), Ethainter (PLDI 2020)
Multi-model adversarial reviewN-version programming (FTCS 1978), LLMBugScanner ensemble (2025)
Stochastic-to-deterministic memorializationKNighter (SOSP 2025), Cycode/CSA industry validation
Distributed security intelligenceCrowdSec, Bugcrowd, ISACs

The integrated pipeline — compositional reasoning, multi-model validation, human-gated memorialization, and distributed commons feedback — combines these established foundations into a unified framework for smart contract security governance.