{"id":31788906,"url":"https://github.com/tamago-labs/x-engine","last_synced_at":"2025-10-10T14:29:35.780Z","repository":{"id":247944424,"uuid":"826816117","full_name":"tamago-labs/x-engine","owner":"tamago-labs","description":"AI-Powered Code Review for Move Smart Contracts","archived":false,"fork":false,"pushed_at":"2025-01-30T08:23:14.000Z","size":523,"stargazers_count":4,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-30T09:18:43.496Z","etag":null,"topics":["aptos","claude","langchain","llm","move","nodejs","sui"],"latest_commit_sha":null,"homepage":"https://tamagolabs.com","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tamago-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-10T12:39:08.000Z","updated_at":"2025-01-30T08:23:20.000Z","dependencies_parsed_at":"2024-07-16T18:06:47.258Z","dependency_job_id":"9381fedc-db00-4f02-9fe3-268aaa65e52b","html_url":"https://github.com/tamago-labs/x-engine","commit_stats":null,"previous_names":["tamago-labs/x-review","tamago-labs/x-engine"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/tamago-labs/x-engine","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamago-labs%2Fx-engine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamago-labs%2Fx-engine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamago-labs%2Fx-engine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamago-labs%2Fx-engine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tamago-labs","download_url":"https://codeload.github.com/tamago-labs/x-engine/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tamago-labs%2Fx-engine/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279004178,"owners_count":26083688,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aptos","claude","langchain","llm","move","nodejs","sui"],"created_at":"2025-10-10T14:29:02.856Z","updated_at":"2025-10-10T14:29:35.773Z","avatar_url":"https://github.com/tamago-labs.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AI-Code Review for Move Smart Contracts\n\n![Screenshot from 2024-10-07 18-38-56.png](https://cdn.dorahacks.io/static/files/19266593268c7fc86031c0245e09564e.png)\n\nSmart contract audits are costly, especially today when the focus isn't solely on the Ethereum chain. Deploying smart contracts to multiple chains requires separate audits for each chain and each smart contract language, making it impossible for smaller projects to afford.\n\nWe provide an AI solution for quickly reviewing smart contracts and generating reports to share with the community. This is particularly useful when releasing minor versions, expanding to new chains or when the project is still at a very early stage and cannot afford to pay for a full audit.\n\n**Please be aware that the project is still in its very early stages and may contain bugs and incomplete features. Use it at your own risk, and note that this cannot replace a full security audit.**\n\n- [YouTube](https://www.youtube.com/watch?v=ULfa7UELpHM)\n- [App](https://app.tamagolabs.com)\n\n## Features\n\n* Automatic detection of various vulnerabilities\n* Gas optimization suggestions based on academically proven resources\n* Built-in IDE for seamless code review and editing\n* Free and open source\n* Powered by advanced AI models like Claude AI, Voyage AI and LangChain\n\n## System Overview\n\nThe system comprises a frontend and backend. The backend integrates with external AI services to process code reviews:\n\n* **Claude AI** – Main LLM\n* **Voyage AI** – Text embeddings\n* **LangChain** – Prompt preparation\n\nCurrently, the system can run two workflows, each with a different set of contexts (resources) and prompts. For now, we do not charge for usage, but each user is limited to making 1 request per day and 3 requests on the first day using the credit-based system.\n\nLike any RAG application, we must provide a guidance prompt to structure the output, define the rules, and set conditions before making a call to the LLM via the LangChain SDK. The gas optimization workflow is displayed below.\n\n```\n`You are an AI agent assigned to suggest improvements on the provided source code. `,\n`Use the following pieces of context to answer the question without referring to the example source code.`,\n`Use a maximum of two paragraph and maintain a formal tone to ensure it is suitable for inclusion in a security report.`,\n`\\n\\n`,\n`Context: {context}`,\n```\n\nFor each request, the source code will be wrapped into another prompt.\n\n```\n\"From the source code below, suggest ways to optimize gas usage\",\n`${Buffer.from(source_code, 'base64').toString('utf8')}`,\n```\n\nThe backend has its own database to store account data (which is randomly generated on the frontend side), context data and reports. When a request is submitted, it is attached to a temporary database until a cron job consumes and processes all active jobs every 10 minutes. This helps us reduce costs when building a RAG chain.\n\n## Gas Optimization\n\nThis detector allows AI to read through submitted smart contracts and suggest gas optimization improvements in a human-readable, point-by-point report based on academically proven resources as context. This detector is highly useful and fully functional. Anyone can submit Move contracts and optimize gas on the fly.\n\nThe table below shows the context we provide for this detector.\n\n| ID                           | Title                                    | References                                                                                           |\n| ---------------------------- | ---------------------------------------- | --------------------------------------------------------------------------------------------------------|\n| [aptos-move-gas-optimization](./packages/context/aptos-move-gas-optimization.md)    | Aptos Move Gas Optimization         |      |\n\nThe example result can be displayed below\n\n```\nAvoid unnecessary operations: \nIn the currentStandings function, you can simplify the calculation by removing the unnecessary multiplication and division operations.\nInstead of (op_store.trueVotes*100/op_store.totalVotes*100)/100, you can use op_store.trueVotes*100/op_store.totalVotes.\nThis will reduce the number of operations and potentially save gas.\n```\n\n## Vulnerability Detection\n\nThis detector extends the knowledge capacity of the LLM (Claude AI in our case) using the RAG approach by providing context for the AI to understand before further analyzing the source code. The context can be divided into 2 groups as follows:\n\n*  Move language-specific practices\n*  Porting from Ethereum's EIP-1470 (https://github.com/SmartContractSecurity/SWC-registry)\n\nThe table below lists all the contexts we currently support including vulnerability patterns with more being added over time.\n\n| ID                           | Title                                    | References                                                                                           |\n| ---------------------------- | ---------------------------------------- | --------------------------------------------------------------------------------------------------------|\n| [sui-vs-aptos-move-differences](./packages/context/sui-vs-aptos-move-differences.md)    | Differences Between Sui Move and Aptos Move         |      |\n| [move-vector-limitations](./packages/context/move-vector-limitations.md)    | Move Vector Limitations         |      |\n| [integer-overflow-and-underflow](./packages/context/integer-overflow-and-underflow.md)    | Integer overflows and underflows         | [CWE-682](https://cwe.mitre.org/data/definitions/682.html)                       |\n| [broken-access-controls](./packages/context/broken-access-controls.md)    | Broken access controls                   | [CWE-284](https://cwe.mitre.org/data/definitions/284.html)                     |\n| [re-entrancy](./packages/context/re-entrancy.md)    | Re-entrancy                              | [CWE-841](https://cwe.mitre.org/data/definitions/841.html) |\n\n## Backend\n\nThe backend made with Node.js and Express.js, serves as the core of the project. It contains API services and a simple queue system to process source code sent by users to external API services one by one. \n\n|   |type|description|\n|---|--- |---                      |\n|**/**|get|for heartbeat|\n|**/auth/signup**|post|register a user|\n|**/auth/login**|post|for login|\n|**/submit/**|post|submit a request in base64|\n|**/report/:account**|get|get a report in base64|\n\nIt runs with two main modules: `database.js` and `rag_chain.js`.\n\n- `database.js` - A JavaScript class that wraps the JavaScript database PouchDB and hosts all user data and reports.\n- `rag_chain.js` - A class that contains all prompts to interact with LLM using Langchain to integrate with all external systems.\n\nWhen creating a report, `rag_chain.js` generates sections based on each provided prompt, starting with a header that summarizes the file information, followed by each security category, such as unused variables, integer overflow, and access control, which we currently support. We may improve accuracy and performance over time.\n\nExample smart contracts on Sui Move and Aptos Move are available to start testing.\n\n## How to use \n\nGo to https://app.tamagolabs.com and ensure you have enough credits to perform a request. Your user profile is generated randomly on the client side.\n\n### 1. Add a File\n- Navigate to the IDE/Editor screen and paste your source code. \n- You can also create your own project and files, instead of using the example files provided.\n\n### 2. Choose a Review Flow\n- On either the main screen or the IDE/Editor screen, click the 'Start Process' button.\n- Choose between two workflows: Vulnerability Detection or Gas Optimization.\n\n### 3. Submit Your Request\n- Submit your request. All requests are processed in batches, and your request should start within 10 minutes or less.\n- Each request currently costs 10 credits.\n\n### 4. Check the Report\n- Once the process is complete, you can view the results on the Report screen.\n\n\n## How to Test\n\nYou also can setup the entire project on your own by following the instructions.\n\nThe project uses a Lerna monorepo. After downloading this repo onto your machine, you can then run:\n\n```\nnpm install\n```\n  \nEnsure you obtain all API keys from the AI services we are using and place them in the .env file.\n\n```\nANTHROPIC_API_KEY=your-api-key\nVOYAGEAI_API_KEY=your-api-key \n```\n\nOnce everything is ready, we can start the system by\n\n```\nnpm start\n```\n\nTests for backend can also be run by:\n\n```\nnpm run test-backend\n```\n\n\n## Awards \u0026 Recognition\n\n- (Vulnerability Detection) 1st place in the AI x Web3 track at the [ moveonaptos.dev](https://moveonaptos.dev/) hackathon \n\n## Links\n\nFollow our social channels for further updates\n\n- https://twitter.com/Tamago_Labs\n- https://tamagolabs.com\n- https://discord.com/invite/jNGqJCsegp\n- https://www.facebook.com/tamagolabs\n\n## License\n\nMIT © [Tamago Labs](https://github.com/tamago-labs)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftamago-labs%2Fx-engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftamago-labs%2Fx-engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftamago-labs%2Fx-engine/lists"}