SafeStackAI identified 3 high-severity findings in EMPOAR's production contracts with a 100% true positive rate and zero false positives.
EMPOAR is a regulated real-world asset tokenization platform handling investor funds. Before shipping to mainnet, the team needed confidence that their smart contracts could withstand adversarial conditions.
The stakes for RWA platforms are high. On-chain RWA value roughly quadrupled from $6.4 billion in early 2025 to over $25 billion by Q1 2026 (CoinGecko 2026 RWA Report). Institutional players entering this space expect audit-grade security, and blockchain exploits are irreversible. There is no undo button once funds are lost on-chain.
EMPOAR had already completed a human audit of their contracts. After that audit, they ran SafeStackAI against their production code to validate coverage and catch implementation-level issues that manual review might deprioritize.
All 6 findings were independently verified. 5 of 6 severity ratings matched exactly. One finding rated MEDIUM was assessed by EMPOAR as likely LOW. Zero severity inflation in the other direction.
releaseMilestone short withdrawal allows funds shortfall on payout. Confirmed.cancelProject locks investor capital permanently. Confirmed.deadlineRefund doesn't decrement raised, causing accounting drift. Confirmed (likely LOW).stalledWindowRedeem internal accounting edge case loss. Confirmed.ReadingSubmitted event creates observability gap. Confirmed.
The three HIGH findings all involved fund flow or authorization logic. releaseMilestone could produce a shortfall during payout. cancelProject could permanently freeze investor capital with no recovery path. And missing authorization checks on module hooks opened an execution path that should have been restricted.
EMPOAR's human audit and SafeStackAI produced complementary results with no overlap in findings.
The human audit focused on business logic, regulatory compliance, and prescriptive remediation. After that audit was complete, SafeStackAI's analysis focused on implementation-level vulnerabilities: fund-flow edge cases, authorization gaps, and accounting inconsistencies. The two produced complementary results with no overlap in findings, providing broader coverage than either could alone.
"SafeStackAI surfaced a broad set of implementation hardening items that complemented our human audit and accelerated triage."
Quote pending final approval from EMPOAR team.
The EMPOAR team estimated the following impact from running SafeStackAI alongside their human audit:
Access control vulnerabilities alone caused $953 million in documented losses in 2024. In Q1 2026, there were 44 reported incidents totaling $482 million in losses across decentralized protocols. RWA platforms handling investor funds face the same attack surface with additional regulatory consequences.
EMPOAR's human audit covered a snapshot of their codebase. SafeStackAI runs on every commit. The 3 HIGH severity issues above would have been caught the moment the vulnerable code was merged, not weeks later during a re-audit. For RWA platforms iterating on contract logic under regulatory pressure, that difference matters.
Pre-mainnet AI security review catches implementation-level vulnerabilities that manual audits may deprioritize. Continuous analysis on every pull request means security doesn't fall behind code velocity.
Get continuous security analysis for your smart contracts
Get Started