Evidence-First AI Security: Building the EllipticZero Research Lab

Why an AI Agent Should Not Be Treated as Proof: Building EllipticZero Research Lab

Vladimir Stelmak has developed the EllipticZero Research Lab to standardize scoped smart-contract security reviews. The system enforces a strict boundary where agent output is treated as a hypothesis rather than technical proof.

Why This Matters

In smart-contract security, overconfident LLM outputs can lead reviewers toward incorrect risks or false senses of completion. Because vulnerabilities in cryptography and asset flow require precise evidence—such as reachable paths and tool traces—relying on model certainty without local computation creates a dangerous gap between perceived and actual security.

Key Insights

• The ‘Evidence First, Agent Second’ rule (2026) mandates that agents propose hypotheses while substantive claims remain tied to local tools and replayable artifacts.
• Layered Workflow Architecture: The system separates local context, bounded agent work, artifact layers (SARIF/Markdown), and final human review.
• Repeatable Review Lanes: Structured domains such as access control, vault accounting, and oracle assumptions allow for consistent evidence coverage.
• Defensive ECC Research: Focuses on point formats and curve metadata where model confidence is insufficient without local computation.

Practical Applications

• [Smart Contract Auditor] Using SARIF exports to integrate AI hypotheses into CI pipelines while maintaining manual validation boundaries.
• [Security Researcher] Applying defensive ECC research to verify curve-family consistency via local tools rather than relying on LLM summaries.

References:

• https://dev.to/ecd5a/why-an-ai-agent-should-not-be-treated-as-proof-building-ellipticzero-research-lab-e6h
• https://github.com/ECD5A/EllipticZero