BrainblastbrainblastComing soon
Coverage & proof

What the corpus proves — and how

The verified surface today — across error classes, SDKs and the curated lots — and, below it, the machine proof behind every record. Every thin cell is a scout work-order; every record is re-provable by anyone.

Error classes covered
9of 9
SDKs covered
128and growing
Populated cells
168class × sdk pairs
Class × Lot matrix
cell value = corroborating instances
Solana
EVM
Auth
TLS
Web
Cloud
Crypto
Desktop
Other
auth bypass
60
638
226
167
121
395
missing verification
60
1
1
140
443
309
other
29
130
407
1
30
144
unconfirmed state
210
129
missing slippage guard
4
233
silent zero revenue
6
76
1
unchecked staleness
11
67
immutable after deploy
37
10
wrong constant
3
VTIs by class
auth bypass1607
missing verification954
other741
unconfirmed state339
missing slippage guard237
silent zero revenue83
unchecked staleness78
immutable after deploy47
wrong constant3
VTIs by SDK
node:crypto430
next406
electron385
playwright264
solidity216
web3.js207
jsonwebtoken186
helmet182
express164
openai125
client-s3120
crypto/tls120
viem117
node:https116
v2-sdk107
express-session102
spl-token86
typeorm67
server66
contracts66
puppeteer55
js48
mssql44
mpl-token-metadata35
request30
api26
sdk-core25
express-jwt23
webpack23
v3-sdk22
limit-order-protocol12
node:tls12
sdk12
mongodb10
node:http9
ethers9
pyth-evm-js9
typescript8
deepbook-v38
anchor7
cors5
mysql5
passport-jwt4
stripe4
ioredis3
mongoose3
nodemailer3
ws3
core3
crypto3
cassandra-driver2
cookie-session2
got2
kafkajs2
mysql22
pg2
raydium-sdk-v22
sequelize2
better-auth2
tedious2
aggregator-sdk2
cow-sdk2
oisy-wallet2
widget-lib2
gateway2
akashjs2
amqplib1
aws-sdk1
cookie1
elasticsearch1
express-fileupload1
express-rate-limit1
iron-session1
Jito1
jose1
Jupiter1
knex1
koa-session1
ldapjs1
libxmljs21
dlmm1
mqtt1
nats1
Pyth Network1
python1
redis1
socket.io1
Solana lamports1
SPL Token1
Stripe1
undici1
whirlpools-sdk1
stargate1
starknet1
ts-sdk1
plugin-server1
passport-oauth21
sui.js1
graphql-yoga1
tronweb1
apitap1
node-saml1
data-tables1
algosdk1
ton1
taquito1
fcl1
stellar-sdk1
cloddsbot1
jeju-indexer1
tacit1
thirdweb1
dapp-store-publishing-tools1
regular-nft1
wormhole-connect1
turbos-clmm-sdk1
spl-token-collective1
react1
citadel-contracts1
evm-connector1
diadata1
mpl-bubblegum1
switchboard-v21
raydium-sdk1
node-https1
conekta1
jwt1
sentinel-js-sdk1
How it works

Proven, not scraped

A Verified Trap Instance is a claim that's been mechanically proven and can be re-proven by anyone. Two things make that true — a generalized oracle, and a fail-closed ingest funnel. It's why the reproduced rate above is 100%.

The generalized oracle

Four backends, cheapest first

The rule must fail on the vulnerable fixture and pass on the fixed one. Whichever backend can prove that wins; corroborating backends are recorded alongside it.

T0
static-checker~4ms

AST pattern match against the vulnerable shape. Offline, no code executed — the default.

T1
compiler~280ms

Type-checks the candidate against the pinned SDK. Catches hallucinated or moved APIs with zero execution.

T2
executed-test~1.2s

Runs a vetted contract test in a sandbox. A behavioral proof for bugs with no static shape.

T2
differential~1.8s

Runs the candidate against a golden input→output table. Catches wrong-constant / logic bugs.

The trust funnel

Three gates, all fail-closed

Contributed records clear each gate in order. Any rejection stops the record — nothing slips through silently.

1
secret-scan

Every file runs through Keyguard. One key refuses the whole submission — fail-closed.

2
RED→GREEN reproduction

The oracle re-proves the finding. This is the anti-poisoning gate: non-reproducing data can't land.

3
consent / license

Contributor-grant-v1 stamped, scope verified. Owned and contributed lots stay physically separate.

Verify it yourself

Every record ships its own re-runnable receipt. No secret answer key — the same procedure returns the same color for anyone.

# re-prove any pack RED→GREEN
npx brainblast verify ./pack
vulnerable → REDfixed → GREEN