CaliperForge — An organization, encoded.

What CaliperForge is

A multi-agent organization, run by one person.

Instead of writing the code himself, the operator designs an organization that runs on the same pathways a real company does — defined roles, clean handoffs, review gates, one person accountable at the end. The engine is domain-general; right now it is pointed at protocol and smart-contract security. The question under the work: how much does one operator's reach change when an organization can be encoded?

12 Cairo contracts Voyager-verified · 4 Solana programs CI-green · 1 operator of record.

What we work on

Chains we cover

We work where contracts are shipping. Active language coverage: Cairo, Rust / Anchor, Solidity.

Starknet Cairo 2.x Contract work and developer tooling on snforge.
Solana Anchor / SPL Programs, tooling, Foundation-funded work.
HyperEVM Solidity / Foundry HyperCore-boundary invariants and CI-runnable property tests for lending protocols.
Ethereum / EVM Invariant forensics Bridge-conservation invariant references and exploit-to-invariant case reproductions for EVM protocols.

Base and the Optimism Superchain come online as ecosystem work lands; Move (Sui, Aptos) and Go (Cosmos, Celestia) when contract volume warrants.

What we ship

Projects

Open-source tooling we maintain. Source on GitHub, license on the card.

Exploit→Invariant Atlas Cairo · Move · Solana · EVM CI-asserted Apache-2.0 Six real-world hacks across four VMs — zkLend (Cairo / Starknet), Cetus (Move / Sui), Cashio, Mango Markets, and Loopscale (Solana), and a Trace2Inv-canon access-control case (EVM) — each with a runnable invariant property that would have caught the bug class on the pre-exploit code under CI run. First defender-side, pre-deploy CI benchmark across Cairo, Move, Solana, and EVM. Not a claim we found these exploits; not formal verification. Per case: a clean twin where the property holds and a planted-bug twin where it fires, both asserted on every push. github.com/caliperforge/invariant-atlas Blog AI-disclosed
cf-invariants Starknet · Cairo 2.x Rust + Cairo CI green Apache-2.0 Open-source snforge sidecar that adds stateful invariant testing and AI-suggested invariants to Cairo 2.x. Twelve reference contracts, Voyager-verified on Starknet Sepolia. github.com/caliperforge/cf-invariants Sepolia deployments AI-disclosed
cf-invariants-anchor Solana · Anchor / Crucible Rust + Anchor CI green Apache-2.0 Invariant-authoring layer on top of Crucible (Asymmetric Research's coverage-guided Solana fuzzer). Stateful invariants and AI-suggested invariants tagged in source; CI runs the harness against a clean vault and a planted-bug twin every push — 0 violations on the clean variant, ≥1 on the planted variant, with scorecards committed. github.com/caliperforge/cf-invariants-anchor AI-disclosed
cf-invariants-jito Solana · Anchor / Crucible Jito tip-distribution CI green Apache-2.0 Invariant-fuzzing harness for the Jito Foundation tip-distribution program, ported from anchor-lang 0.31.1 to 1.0.1 to run on Crucible (Asymmetric Research) v0.2.0. CI runs four invariant classes — claim-amount conservation, no-double-claim, Merkle authority, admin gating — against a clean reference and a planted-bug twin per class on every push: 0 violations clean, ≥1 violation planted, across all four. github.com/caliperforge/cf-invariants-jito Blog AI-disclosed
cf-invariants-jito-tippayment Solana · Anchor / Crucible Jito tip-payment CI green Apache-2.0 Sibling harness for the Jito Foundation tip-payment program on the same anchor-lang 1.0.1 / Crucible v0.2.0 rails as cf-invariants-jito. Ships one invariant class to start — write-through state-update on change_tip_receiver — against a clean reference and a planted-bug twin. CI: 0 violations clean, ≥1 violation planted, green on the first push. github.com/caliperforge/cf-invariants-jito-tippayment Blog AI-disclosed
cf-invariants-jito-priorityfee Solana · Anchor / Crucible Jito priority-fee-distribution CI green Apache-2.0 Third Jito program harnessed on the same anchor-lang 1.0.1 / Crucible v0.2.0 rails as cf-invariants-jito and cf-invariants-jito-tippayment. Ships one invariant class to start — total priority-fee tips increment on transfer — against a clean reference and a planted-bug twin. CI: 0 violations clean, ≥1 violation planted, green on the first push. github.com/caliperforge/cf-invariants-jito-priorityfee AI-disclosed
cf-invariants-pyth Solana · Anchor / Crucible Pyth pyth-solana-receiver CI green Apache-2.0 Fourth real Solana program harnessed on the same anchor-lang 1.0.1 / Crucible (Asymmetric Research) v0.2.0 rails as the three Jito family harnesses — first port to an oracle-class protocol. Ships two invariant classes — two-step governance (access-control) and reclaim-rent conservation — each against a clean reference and a planted-bug twin. CI: 0 violations clean, ≥1 violation planted, across both classes. github.com/caliperforge/cf-invariants-pyth AI-disclosed
chimera-template-pack Solidity + Foundry CI scorecards Apache-2.0 (MIT carve-out) Reusable Foundry + Recon Chimera scaffold for contest entries. Pre-wires Echidna and Medusa stateful-fuzz campaigns, three seeded invariants, and a CI job that runs the campaign and writes scorecards into findings/ on every push. Forkable starter, not a finished audit. github.com/caliperforge/chimera-template-pack AI-disclosed
hyperevm-safety HyperEVM · Solidity + Foundry hyper-evm-lib + Recon Chimera CI green Apache-2.0 Open-source library of invariants and CI-runnable property tests for HyperEVM lending protocols that consume HyperCore oracle reads. Six HyperCore-boundary invariants ship in v0.1 — oracle staleness, mark/oracle deviation, szDecimals round-trip, precompile gas DoS, CoreWriter solvency window, and a Chainlink-compat invariant catching adapters that defeat downstream staleness checks. All six run as CI-runnable property tests against a clean reference where the property holds under fuzz. Three fire INVARIANT VIOLATED on the same CI run — the szDecimals round-trip (D-3) and Chainlink-compat (D-6) planted twins, and the JELLY (Mar 2025) mark-price manipulation reproduction (covering oracle staleness and mark/oracle deviation, D-1/D-2) against a minimal lending-market reference. Precompile gas DoS (D-4) and CoreWriter solvency window (D-5) carry inline broken-reference tests demonstrating the bug class deterministically. Built on hyper-evm-lib (the HyperCore precompile / CoreWriter simulator the ecosystem already uses) and the CaliperForge chimera-template-pack. Not an audit; not a runtime monitor. github.com/caliperforge/hyperevm-safety AI-disclosed
cf-invariants-verus-bridge-conservation EVM · Solidity + Foundry Recon Chimera · Echidna CI green Apache-2.0 A runnable, CI-verified reference for the cross-side conservation invariant class in lock/mint bridges — anchored on the Verus–Ethereum bridge exploit of 2026-05-18 (reported losses USD 11.58M, per Halborn). The bridge’s solvency rule existed in prose and spec but was never expressed as a machine-checkable invariant. This repo lifts it to one line: sum_locked_eth − sum_released_eth == sum_minted_verus − sum_burned_verus. A clean reference contract holds the invariant; a planted-bug twin breaks it. Both legs run as a CI matrix on every push — clean exits 0 violations, planted surfaces a counterexample (invariants_violated: 1 on the scorecard, with a deterministic forge replay test in-tree). Built on a Chimera-pattern harness (Recon Chimera + Foundry, Echidna), tracking the CaliperForge chimera-template-pack pinning. Not an audit; not a forensic incident report; not a port of Verus’s production code. The published analyses (Halborn formal post-mortem; Blockaid and PeckShield firm advisories) cover the forensic angle; this repo adds the dimension none of them has — a machine-checkable expression of the rule. github.com/caliperforge/cf-invariants-verus-bridge-conservation AI-disclosed

Live on-chain

cf-invariants reference suite on Starknet sepolia.

Twelve Cairo 2.x contracts deployed and Voyager-verified on Sepolia (suite expanded 6 → 12 on 2026-06-04). Planted-bug references span token supply accounting, governance executed-state, AMM constant-product, and additional surfaces — both regression fixtures for cf-invariants and on-chain targets you can run the sidecar against today.

ERC20Ref Token · Cairo 2.x Planted bug on supply accounting. 0x01def8…b055b Voyager
Governance Voting · Cairo 2.x Planted bug on executed-state tracking. 0x066738…794e6 Voyager
SingleSideAmm AMM · Cairo 2.x Planted bug on constant-product reserves. 0x05351d…c81f8 Voyager
ERC4626Ref Vault · Cairo 2.x Planted bug on share / asset conservation. 0x01d31e…e08c Voyager
MultisigRef Multisig · Cairo 2.x Planted bug on threshold monotonicity. 0x04fe55…eef8 Voyager
ERC721Ref NFT · Cairo 2.x Planted bug on token-id uniqueness. 0x02b5aa…55fa Voyager
LendingRef Lending · Cairo 2.x Planted bug on per-user solvency. 0x0627b8…7c52 Voyager
StakingRef Staking · Cairo 2.x Planted bug on stake / slash conservation. 0x014e72…4e09 Voyager
VestingRef Vesting · Cairo 2.x Planted bug on time-bounded release supply cap. 0x032537…bd38 Voyager
TimelockRef Timelock · Cairo 2.x Planted bug on delay-respected execution. 0x000cf3…e3f7 Voyager
PaymentSplitterRef Splitter · Cairo 2.x Planted bug on proportional-share release. 0x019300…710c Voyager
OracleRef Oracle · Cairo 2.x Planted bug on push-update timestamp monotonicity. 0x0617f5…e023 Voyager

Read the findings report

How it works

Specialized agents, scoped and cross-checked.

The organization is a team of specialized AI agents — an audit engineer, a Cairo specialist, a Rust / Anchor specialist, a grant writer, a content reviewer, and others as the work calls for them. Each is scoped, each has a defined output discipline, and each cross-checks the others before anything leaves the workspace. The operator reviews every load-bearing decision and ships under his own name, with every contribution reproduced in a cold environment first.

Specialization velocity is the working pattern: a new chain, a new VM, a new specialist and a CI-verified tool with it, in days rather than months. Cairo (snforge) to Solana / Anchor (on Asymmetric Research's Crucible) was roughly one working session.

The tooling layer below the org-shape is an invariant-authoring layer on top of the engines doing the fuzzing — snforge on Cairo, Crucible on Solana / Anchor — with stateful invariants, AI-suggested invariants tagged in source, and clean / planted-bug reference examples checked into CI. We don't compete with the underlying engines on coverage; we author the layer above them.

AI involvement is disclosed at point of use; full policy at caliperforge.com/ai-disclosure.

How it started

From running companies to encoding one.

I'm a French citizen living in Guatemala, and most of my career has gone into starting and growing businesses, not writing code — companies across tech, logistics, and education reform. Each one taught the same lesson: a company is really a set of processes that turn intent into usable output, and the operators who win are the ones who design those processes on purpose. I've always been fascinated by software; I just came at it from the operator's seat rather than the engineer's. CaliperForge turns that to a different end — an organization that outputs quality, real-world, usable work, signed under my own name.

Contact

Reachable, KYC-able, accountable.

Operated by Michael Moffett, accountable for every commit, PR, grant application, and bounty claim made under this org. For grant collaboration, engagement inquiries, security tooling questions, or contribution questions:

Operator Michael Moffett
Direct michael@caliperforge.com
Team team@caliperforge.com
GitHub github.com/caliperforge
X @caliperforge
Farcaster @caliperforge
Telegram @caliperforge
ENS caliperforge.eth