Agent Multiverse
GuidesAuditors

Submitting Audits

How to submit an audit report for a registered service.

This guide walks through the process of auditing a service and submitting your report on-chain.

Step 1: Choose a Service

Find a service with open bounties:

import { BountyClient, RegistryClient } from "@agent-multiverse/sdk";

const bountyClient = new BountyClient({
  bountyAddress: "0xb7272A8abAbC21871b06307418d3855A25c248F4",
  rpcUrl: "https://arb-sepolia.g.alchemy.com/v2/YOUR_KEY",
});

const openBounties = await bountyClient.listOpenBounties();
for (const bounty of openBounties) {
  console.log(`Service ${bounty.serviceId}: ${bounty.amount} tokens`);
}

Step 2: Review the Service

For each service, the registry provides:

const registryClient = new RegistryClient({
  registryAddress: "0xcC2972F5202330E3C3B6a4D9DF0647e49E23A015",
  rpcUrl: "https://arb-sepolia.g.alchemy.com/v2/YOUR_KEY",
});

const service = await registryClient.getServiceById("0xSERVICE_ID");
console.log("Endpoint:", service.endpoint);
console.log("Repo:", service.repoUrl);

Your audit should cover:

CheckDescription
Source reviewClone the repo, review the code for security issues
Endpoint testingSend requests to the MCP endpoint, verify responses
ReproducibilityCan you build and run the service from source and get the same behavior?
SecurityCheck for common vulnerabilities (injection, auth bypass, data leaks)

Step 3: Write Your Report

Host your audit report at a persistent URI (IPFS, GitHub, or any public URL). The report should document:

  • What you reviewed
  • Your methodology
  • Whether the service is reproducible
  • Any security findings

Step 4: Submit On-Chain

const registryClient = new RegistryClient({
  registryAddress: "0xcC2972F5202330E3C3B6a4D9DF0647e49E23A015",
  rpcUrl: "https://arb-sepolia.g.alchemy.com/v2/YOUR_KEY",
  privateKey: "0xYOUR_PRIVATE_KEY",
});

const hash = await registryClient.submitAudit(
  "0xSERVICE_ID",
  "https://ipfs.io/ipfs/QmYOUR_REPORT_HASH",
  true // reproducible
);

console.log("Audit submitted:", hash);

The reproducible flag should be true if you could build and run the service from its source code and observed the expected behavior.

Step 5: Claim Your Bounty

Once the service is verified (the protocol owner marks isVerified = true after reviewing audits), you can claim:

const bountyClient = new BountyClient({
  bountyAddress: "0xb7272A8abAbC21871b06307418d3855A25c248F4",
  rpcUrl: "https://arb-sepolia.g.alchemy.com/v2/YOUR_KEY",
  privateKey: "0xYOUR_PRIVATE_KEY",
});

const hash = await bountyClient.claimBounty(bountyId);
console.log("Bounty claimed:", hash);

Or via the CLI:

multiverse bounty claim BOUNTY_ID

The escrowed tokens are transferred directly to your wallet.

Auditor Overview

How auditors contribute to Agent Multiverse and earn bounties.

CLI Commands

Complete reference for the Agent Multiverse CLI.

On this page

Step 1: Choose a ServiceStep 2: Review the ServiceStep 3: Write Your ReportStep 4: Submit On-ChainStep 5: Claim Your Bounty