Adversarial Agents
Shepherd's adversarial agents are AI systems that autonomously discover and validate vulnerabilities by attacking your protocol's digital twin.
What are Adversarial Agents?
Adversarial agents are the testing engine behind Shepherd. They generate attack hypotheses, construct transaction sequences to execute those attacks, and run them against your digital twin on an Anvil fork. When an attack succeeds, the agent captures the full exploit proof. When it fails, the hypothesis is recorded as disproven.
The agents reason about vulnerabilities across 2 layers:
Code layer: Logic bugs, access control issues, reentrancy, integer overflow, storage collisions, delegate call exploits
Economic layer: Oracle manipulation, flash loan attack sequences, liquidation cascades, token flow exploits
Most real-world DeFi exploits involve both layers. A code vulnerability becomes an exploit when an attacker can construct a profitable economic sequence around it. Shepherd's agents are designed to reason about this full picture.
How Agents Work
1. Hypothesis Generation
Agents generate attack hypotheses from multiple sources:
Code analysis: Reviewing your contracts for patterns associated with known vulnerability classes
Knowledge graph traversal: Following value flows, privilege chains, and dependency links to identify potential attack surfaces
DeFi attack templates: Applying known exploit patterns (share inflation, donation attacks, oracle TWAP drift, etc.) to your specific architecture
Cross-protocol reasoning: Identifying how interactions with external protocols might create exploitable paths
2. Attack Construction
For each hypothesis, the agent constructs a concrete attack sequence:
Which contracts to call, in what order
What parameters to use
Whether flash loans, swaps, or other DeFi primitives are needed as setup steps
What are the expected state changes should be if hte attack succeeds
3. Execution
The attack sequence runs on the Anvil fork. The agent records:
Every transaction and its result
State diffs at each step
Call traces showing the full execution path
Balance changes for all relevant accounts
Invariant evaluations
4. Capture
If the attack succeeds, the agent packages the result as an exploit proof with a reproducible Foundry/Hardhat test. If it fails, the hypothesis is recorded as tested-and-disproven, which is also valuable; it confirms that a potential conccern is not exploitable under current conditions.
Multi-Step Attack Sequences
Many DeFi exploits require multiple coordinated steps. Shepherd's agents handle multi-step attack sequences including, but not limited to:
Flash loan → exploit → repay flows
Price manipulation → action → profit extraction sequences
Setup transactions that create the preconditions for an exploit (e.g. manipulating a TWAP oracle over multiple blocks)
Cross-contract chains where the exploit path passes through multiple protocols
The agents simulate these sequences end-to-end on the fork, including block advancement and state changes between steps.
Copilot Mode
When used by security researchers and auditors, agent operate in copilot mode:
You provide a specific hypothesis, e.g. "I think withdraw() in VaultV2 is vulnerable to reentrancy through the callback in the underlying lending pool"
Shepherd's agents attemp to execute that specific attack on the fork
You receive an exploit proof confirming the vulnerability, or a disproof showing the attack doesn't work under current conditions
You can iterate, refining the hypothesis, targeting different functions, or exploring adjacent attack vectors.
This workflow lets security researchers and auditors validate findings faster and product execution-backed evidence for audit reports.
Last updated