OpenEnv · Reinforcement Learning · Smart Contract Security

Audit Solidity.
Train smarter agents.

An OpenEnv-compliant RL environment for smart contract security analysis. Agents explore real-world DeFi contracts from Certora audit reports — detecting vulnerabilities, deriving properties, and checking invariants.

openenv solidity aave lido certora 3 tasks
Explore API Docs Quick Start →
// three tasks

What can agents learn here?

Each task mirrors a real step in a professional smart contract audit. Difficulty is graded easy → medium → hard.

TASK 01 medium

Targeted Vulnerability Detection

Given a Solidity file, identify the vulnerable function and name the vulnerability class in 2–3 words. Submit NO if no vulnerability exists.

list_functions get_function_code get_state_variable get_call_graph submit
TASK 02 hard

Property Discovery

Given a single function, derive its natural-language safety property — the kind a formal verification engineer would write as a CVL invariant. One submission attempt per episode, scored 0–5.

get_function_natspec get_related_functions get_similar_rule submit_property
TASK 03 easy

Rule Checker

A property is given in plain English. At least one function in the contract breaks it. Find the offender. Partial credit for naming a direct caller of the true violating function.

list_functions get_function_code get_property_specification submit_function
// dataset

Grounded in real audits

All contracts and vulnerabilities are sourced from public Certora audit reports on production DeFi protocols.

🏦
AaveVault
Certora Audit · ERC-4626 vault · Access control, share accounting
🏦
AaveVaultV2
Certora Audit · Upgraded vault · Fee logic, reentrancy surfaces
🔷
Lido Finance
Certora Audit · Liquid staking · Rebasing token invariants
// http interface

API Endpoints

GET /health Liveness probe
GET /tasks List all tasks with difficulty and status
POST /reset Start a new episode — body: {task_id, seed}
POST /step Take one action — body: {action_type, params}
GET /state Full internal episode state (debug)
GET /action_space Valid actions for a task — query: ?task_id=
GET /observation_space Observation schema (all tasks share this)
GET /docs Interactive Swagger UI
// quick start

Run an episode in 3 calls

bash 
# 1. Reset — start Task 1 with a fixed seed
curl -X POST $SPACE_URL/reset \
  -H "Content-Type: application/json" \
  -d '{"task_id": "task1_vuln_detection", "seed": 42}'

# 2. Explore — list all functions in the contract
curl -X POST $SPACE_URL/step \
  -H "Content-Type: application/json" \
  -d '{"action_type": "list_functions", "params": {}}'

# 3. Submit — name the vulnerable function
curl -X POST $SPACE_URL/step \
  -H "Content-Type: application/json" \
  -d '{"action_type": "submit", "params": {"function_name": "withdraw", "vulnerability_type": "reentrancy"}}'