A fair mechanism for bug disclosure, and a trustworthy system for AI security research.
Mnemo is a bug disclosure system with fixed incentives. Researchers only reveal an exploit if the protocol accepts it — the protocol only learns the vulnerability by committing funds. It also enables security research agents which are bound to only doing responsible disclosure and no harm: they verifiably can't exploit the contracts they research, nor leak the information to anyone other than the protocol itself. Built on Venice (private inference) and Phala (TEE execution).
Live on Base Sepolia.
Bug bounty programs are structurally adversarial. The researcher must reveal the vulnerability to prove it is real, but once revealed, they lose all leverage. Protocols can patch-and-deny, dispute valid findings, or simply not pay.
This is not hypothetical. A researcher found a critical vulnerability in Injective's exchange module (full TVL drain via MsgBatchUpdateOrders). Injective had moved between platforms (Cantina to ImmuneFi). The researcher submitted, got ghosted, was offered a lower severity, and was never paid. The only recourse was public disclosure — which risks legal action and harms the ecosystem. The platform's incentive is to keep the protocol happy, not the researcher.
Meanwhile, AI is making this worse from the other direction. Model providers like OpenAI restrict agents from performing security research because there is no technical distinction between finding a vulnerability and exploiting one — only intent, which providers cannot verify. This means legitimate security research with AI agents is being blocked by blanket policies, while the actual attack surface grows.
Mnemo solves both sides: it gives researchers a provably safe channel to disclose, and it gives AI agents a sandboxed environment where security research is structurally constrained to responsible disclosure.
The incentive structure needs to change so that:
- The researcher can prove a vulnerability is real without revealing how to exploit it
- Payment is automatic and enforceable, not discretionary
- Neither party can cheat after the fact
- AI agents can do security research within verifiable safety constraints
Mnemo solves this with three mechanisms:
1. Escrow-gated information reveal. This is the core primitive. The researcher's agent signals it has a finding (a DisclosureIntent — no details, just "I found something"). The protocol must fund an on-chain escrow to learn what it is. No payment, no information.
2. TEE-secured negotiation rooms. Both agents negotiate inside a Phala dstack enclave with hardware-encrypted memory (Intel TDX). Neither party — nor the host operator — can read the other's data. The researcher reveals vulnerability details only inside the room, only after escrow is funded. If negotiation fails, the enclave is destroyed and nothing leaks.
3. Automated verification and settlement. The TEE runs verification (currently forge tests, but the arbiter is pluggable). If the vulnerability is confirmed, escrow releases payment automatically. If invalid, the protocol is refunded. No human arbitration, no disputes.
Additional guarantees:
- RTMR[3] attestation: the exact code running in the TEE is cryptographically bound to the attestation — change one byte, attestation fails (simulated in demo, real in CVM deployment)
- Network isolation: the researcher agent has read-only RPC access, cannot sign transactions, cannot communicate outside the room (enforced via Docker network policies in production Compose)
- Privacy separation: registry and escrow are independent on-chain — observers cannot correlate which listing a disclosure belongs to
TEE Enclave (Phala dstack)
+--------------------------+
| |
Protocol registers on-chain | Researcher Protocol |
with bounty terms + source | Agent <--> Agent |
| | | | |
v | v v |
+------------------+ | [Forge Verify] [Eval] |
| MnemoRegistry | | | | |
| (Base Sepolia) | <---------+ +-----+------+ |
+------------------+ discover | | |
+------------|-------------+
|
v
+------------------+
| MnemoEscrow |
| (Base Sepolia) |
+------------------+
|
+---------+---------+
| |
[Release] [Refund]
| |
v v
+---------------+ +---------------+
| MnemoReputation| | (no rep hit) |
| (ERC-8004) | +---------------+
+---------------+
|
v
[IPFS Archive]
10-step pipeline:
- Setup -- initialize local devnet and services
- Identity -- register agent identities via ERC-8004
- Attestation -- generate TDX attestation (RTMR[3] binds Docker image)
- Registry -- protocol registers on MnemoRegistry with bounty terms
- Discovery -- researcher agent polls registry events, scores targets
- Audit -- LLM analyzes contract source, generates vulnerability hypothesis
- Verification -- TEE arbiter verifies the vulnerability claim
- Negotiation -- turn-based dialogue in TEE room, scoped reveals
- Settlement -- escrow auto-releases on verified bug, auto-refunds on invalid
- Post-settlement -- reputation posted to ERC-8004, evidence archived to IPFS
Contracts (Base Sepolia)
MnemoEscrow(0x22Fd1c1cbF21c17627239dB5f59bfb5FE371F6da) -- TEE-resolved escrow with blind commitment hashes, permissionless expiryMnemoRegistry(0xc42BE1d5aBeB130Ee5D671611685C58fd8eA99E3) -- protocol discovery with on-chain bounty advertisingMnemoReputation(0x5674Efd049790cd1Cb059dD2b42dc4791a8086f3) -- ERC-8004 reputation with asymmetric detail (researcher sees severity, protocol sees outcome only)- 40 passing tests (18 escrow + 8 reputation + 14 registry)
Autonomous Researcher Agent
- 5-phase loop: discover, plan, execute, verify, submit
- Background agent that polls MnemoRegistry for new protocols
- LLM-powered vulnerability analysis with streaming (Venice API)
- Tested against DVDeFi challenge suite -- found SideEntrance reentrancy blind in ~30s
Verification Pipeline
- Pluggable arbiter design — current implementation uses forge, but the escrow contract accepts any TEE-attested verdict
- Wired into the negotiation flow (verification result auto-triggers escrow resolution)
Negotiation Rooms
- Turn-based agent dialogue with tool-gated severity assignment
- Room manager orchestrates the full 10-step pipeline
- PubSub event streaming to frontend via WebSocket
TEE Integration
- Phala dstack attestation (RTMR[3], compose hash verification)
- Docker Compose topology with network isolation (analysis, egress-restricted, default)
- RPC proxy that blocks write methods (
eth_sendRawTransaction,eth_sign, etc.)
Frontend
- React 19 + Tailwind v4
- Live WebSocket streaming of all pipeline events
- 10-step pipeline tracker, audit panel, escrow state display
Supporting Infrastructure
- Venice E2EE client (reverse-engineered ECDH + HKDF + AES-256-GCM protocol)
- IPFS archival of disclosure evidence
- ERC-8004 on-chain identity and reputation for agents
- Effect-based architecture throughout (typed errors, DI, streaming)
In production, you would see none of this. The entire point is that the agent operates inside a TEE black box — nobody can observe what it's researching, what vulnerabilities it found, or what it's analyzing. The only externally visible artifacts are: (1) which bugs it submitted, and (2) whether they were accepted. Everything else — the LLM audit, the negotiation, the verification — happens inside hardware-encrypted memory that not even the host operator can read.
The demo exposes the agent's internals (streaming audit, negotiation transcript, pipeline steps) purely for demonstration purposes, so you can see the mechanism working end to end. In a real deployment, this visibility would not exist.
# Clone and install
git clone https://github.com/Eduardogbg/mnemo
cd mnemo && bun install
# Terminal 1: start local devnet
anvil
# Terminal 2: start the web demo
VENICE_API_KEY=your_key bun run packages/web/src/server.ts
# Open http://localhost:3000
# The autonomous agent starts polling the registry
# Select a challenge to trigger the full 10-step pipeline# Add to .env
ESCROW_ADDRESS=0x22Fd1c1cbF21c17627239dB5f59bfb5FE371F6da
ERC8004_ADDRESS=0x5674Efd049790cd1Cb059dD2b42dc4791a8086f3
REGISTRY_ADDRESS=0xc42BE1d5aBeB130Ee5D671611685C58fd8eA99E3
RPC_URL=https://sepolia.base.org
VENICE_API_KEY=your_key bun run packages/web/src/server.tsVENICE_API_KEY=your_key bun run packages/researcher/src/experiments/e2e-discovery.tscd contracts && forge test -vv| Layer | Technology |
|---|---|
| Language | TypeScript (Effect for typed FP, DI, streaming) |
| Ethereum | voltaire-effect, Foundry (forge/anvil) |
| TEE | Phala dstack (Intel TDX, RTMR[3] attestation) |
| Inference | Venice API (private, no data retention) |
| Identity | ERC-8004 (on-chain agent reputation) |
| Frontend | React 19, Tailwind v4, WebSocket |
| Chain | Base Sepolia |
| Package | Purpose |
|---|---|
@mnemo/core |
Agent, Provider, State, Errors, shared tool types |
@mnemo/harness |
Room (negotiation turn loop), verifier/prover tools |
@mnemo/chain |
ERC-8004, EscrowClient, RegistryClient, attestation, IPFS |
@mnemo/researcher |
AutonomousAgent (5-phase loop), ExecutionLog, researcher tools |
@mnemo/dvdefi |
Foundry service (build/test/script), Devnet (Anvil lifecycle) |
@mnemo/verity |
EvmClient, invariant checking, PoC scripts |
@mnemo/verifier |
Hybrid verification pipeline (forge + RPC invariants), LLM toolkit |
@mnemo/venice |
Venice E2EE provider for @effect/ai |
@mnemo/web |
React 19 frontend + Effect HttpApi server |
Mnemo is designed for responsible disclosure, not exploitation. The researcher agent:
- Cannot execute transactions. TEE sandbox blocks
eth_sendRawTransaction. The agent has read-only chain access. - Must go through the negotiation protocol. There is no mechanism to exfiltrate findings outside the room.
- Cannot leak data on abort. If negotiation fails, the TEE enclave is destroyed. Hardware-level memory wipe, not software deletion.
- Escrow ensures fair payment. Both parties have skin in the game. The protocol funds escrow before seeing details; the researcher gets paid only if the vulnerability is real.
- Evidence is archived. All disclosures are recorded on IPFS for transparency and auditability.
- Reputation is on-chain. ERC-8004 feedback incentivizes honest behavior. Bad actors accumulate negative reputation that follows their agent identity.
- The DVDeFi challenge contracts (SideEntrance, etc.) are well-known vulnerabilities likely present in LLM training data. The agent finding them is a proof of mechanism, not a proof of novel discovery capability.
- TEE attestation is simulated outside a CVM. The demo generates stub quotes; real RTMR[3] binding requires deployment inside a Phala dstack CVM.
- The demo escrow flow is ceremonial — the same entity creates, funds, and resolves. In production, the protocol and TEE would be separate actors with the escrow gating information flow.
- Network isolation (RPC proxy, air-gapped Docker networks) only applies when running the production Docker Compose inside a CVM, not in the local demo.
- The agent can only process pre-mapped DVDeFi challenges, not arbitrary contracts. General-purpose discovery requires a more flexible metadata→contract resolution pipeline.
The Synthesis Hackathon, March 13--22, 2026.