Are audits enough, or should adversarial simulation be standard?

There’s an interesting gap between how we validate smart contract security and how these systems behave in adversarial environments.

Audits provide a structured review, but they’re still bounded by time and scope. What they often miss are emergent behaviors that only appear when systems are tested under realistic conditions.

We experimented with running contracts on a forked state and introducing automated adversarial exploration using tools like guardixio. Instead of reviewing logic statically, this approach tries to surface possible exploit paths dynamically.

Some of the findings weren’t obvious from code inspection alone, which raises questions about how we define “secure enough.”

Do you think adversarial simulation should become a standard part of protocol design, or remain an advanced practice?