What is VORO?

VORO is a security intelligence platform for smart contracts and autonomous agents. Six purpose-built services — scanning, Bayesian scoring, code intelligence, web delivery, fleet operations, and a mission control dashboard — work together to find vulnerabilities, score them with calibrated certainty, and deliver actionable threat reports.

No code leaves your environment. No cloud uploads. No vendor lock-in.

The Pipeline

source code
    │
    ▼
voro-scan ─── 647+ patterns, 16 languages, 14 external scanners
    │          Tiered verification: symbolic proof → ensemble → Bayesian CI → LLM
    │
    ▼ audit JSON
    │
voro-guard ── Symbol extraction (8 languages), Solidity call graphs,
    │          HMAC-SHA256 artifact signing, reachability analysis
    │
    ▼ signed artifacts
    │
voro-brain ── Bayesian scoring across 6 risk dimensions
    │          772 corpus-calibrated priors, Beta distributions, A-F grades
    │          Dual-LLM isolation: untrusted code never reaches privileged scoring
    │
    ▼ threat report JSON
    │
voro-web ──── Web UI at scan.voro.security
    │          GitHub App auto-scans PRs, 6-service Docker stack
    │
    ▼ fleet telemetry
    │
voro-core ─── Mission Control event ingestion, audited execution,
    │          network-isolated runtime, SSE streaming
    │
    ▼ operational data
    │
voro-dash ─── Fleet dashboard: agent monitoring, cost tracking,
               operator workflows, cohort lifecycle management

Six repositories. Zero cross-repo imports. JSON over CLI subprocess at every boundary. Use any piece standalone or run the full stack.

What VORO Does

Scans code across 16 languages

voro-scan runs 647+ vulnerability patterns and orchestrates 14 external scanners (Slither, Mythril, Echidna, Bandit, ESLint, Opengrep, and more). A 5-tier verification system filters findings from symbolic proof down to LLM-assisted triage, with 10% spot-checking to detect drift.

Covers 9 security taxonomies: SWC, CWE, OWASP Smart Contract, OWASP LLM, OWASP Agentic, Immunefi, DASP, MITRE ATLAS, and Code4rena.

Scores with calibrated certainty

voro-brain uses Beta distributions — not point estimates — to score every finding across 6 orthogonal risk dimensions:

Dimension	What It Measures
fund_safety	Reentrancy, flash loans, price manipulation
access_control	Missing ownership checks, privilege escalation
external_risk	Oracle manipulation, untrusted external calls
code_integrity	Integer overflow, logic bugs, unchecked returns
dependency_health	Vulnerable dependencies, outdated packages
agent_autonomy	Unscoped permissions, prompt injection, autonomous execution

Every score carries confidence intervals derived from 772 pattern priors calibrated against 1,113 contracts with known ground truth. The scoring engine suppresses false positives and fuses signals from multiple scanners into a single confidence-weighted A-F safety grade.

Indexes code and verifies trust

voro-guard extracts symbols across 8 languages, builds Solidity call graphs with visibility metadata and reachability tracking, and signs every artifact with HMAC-SHA256. voro-brain consumes this via MCP to enrich exploitability assessments — if a vulnerable function is unreachable, its risk score reflects that.

Delivers results three ways

voro-web accepts scans via GitHub URL, Etherscan contract address, or direct file upload. A 6-service Docker stack (nginx, Next.js, Express, Python worker, Redis, Postgres) processes scans through BullMQ queues, and renders full threat reports with 6-dimension visualizations, finding cards, and confidence meters. The GitHub App posts findings directly to pull requests.

Runs fleet operations at scale

voro-core provides the operational backbone: audited command execution with time/memory limits, network-isolated runtimes, model proxy routing, and an HTTP event ingestion API for fleet-wide telemetry. voro-dash renders it all in a mission control dashboard with real-time SSE, cost rollups, cohort lifecycle management, and operator workflows with approval gates.

What Makes VORO Different

Local-first. Your code never leaves your machine. The full pipeline — scanning, scoring, report generation — runs locally. No cloud API required.

Agentic security. Detection patterns for MCP server trust boundaries, prompt injection vectors, tool permission scoping, and autonomous agent behavior. No other scanner covers agentic AI security as a first-class dimension.

Bayesian, not heuristic. Every score is a distribution with confidence bounds, not an arbitrary severity label. Priors are corpus-calibrated from labeled vulnerability datasets, not guesswork.

Trust-verified. HMAC-SHA256 artifact signing, dual-LLM isolation between untrusted code and privileged scoring, and fail-closed trust verification at every pipeline boundary.

16 languages, one tool. Solidity, Python, JavaScript, TypeScript, Go, Rust, Java, PHP, C#, C/C++, Ruby, Swift, Kotlin, Vyper, Motoko, and Anchor (Solana).

Current Accuracy

VORO publishes its precision and recall numbers. No major competitor does this.

Metric	Value	Context
Slither adapter precision	0.746	Post-calibration (was 0.247 before tuning)
SmartBugs recall	0.972	Across standard benchmark suite
Brain precision	~0.52	Recalibration in progress
DeFiHackLabs recall	0.262	Dataset mismatch being addressed

These are honest baselines. The benchmark whitepaper will document methodology and invite independent verification.

By the Numbers

Metric	Value
Vulnerability patterns	647+
External scanner integrations	14
Languages supported	16
Security taxonomies covered	9
Bayesian scoring dimensions	6
Calibration corpus	1,113 contracts
Corpus-calibrated priors	772
Ground truth benchmark labels	807
Total tests across fleet	4,400+
Repositories	6

The Pipeline​

What VORO Does​

Scans code across 16 languages​

Scores with calibrated certainty​

Indexes code and verifies trust​

Delivers results three ways​

Runs fleet operations at scale​

What Makes VORO Different​

Current Accuracy​

By the Numbers​