Lost in Translation? Measuring Language-Conditioned Detection-Rate Gaps in AI Code Auditors on Spanish- and Portuguese-Surface Codebases

Michael Moffett

We test whether AI code auditors catch planted security bugs less reliably when a codebase's comments and docstrings are in Spanish, Portuguese, or code-switched Spanish/English instead of English — using ground-truth planted-bug twins from the public Exploit→Invariant Atlas, where the paired clean twin acts as a built-in false-positive control. Across three auditor models, the two frontier models (Claude Sonnet 4.5 and GPT-4o) stay fully robust in every language, while the open-weight Llama 3.3 70B shows an early code-switched detection drop and GPT-4o over-flags false positives on code-switched comments. On this small sample it's a directional signal, not a settled benchmark — but it's a tier-stratified AI-safety gap directly relevant to Latin-American teams running these tools on Spanish/Portuguese code.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The paper is technically detailed and carefully documented, but the presentation assumes substantial prior knowledge of smart-contract auditing and blockchain security. The extensive use of domain-specific terminology may make the work difficult for a broader AI safety audience to follow. Much of the discussion focuses on implementation details and evaluation infrastructure, which can make the central AI safety question difficult to identify. A clearer motivation, simpler framing, and greater emphasis on the practical implications of the findings would improve accessibility and strengthen the overall presentation.

- Very well written and very clear.

- Methodology well explained and well defined.

- Limitations are clearly presented. The number of twins is very low to draw conclusions, but it can serve as a basis for future research. With such a small number, no real conclusions can be drawn.

- Some sections of the results could be better explained or summarized.

The problem it addresses is that of errors which an auditor might make when working with code in Spanish and Portuguese, given that the existing auditors are native English speakers. Methodologically, it is sound and interesting. Its proposed analysis of the model’s effort and laziness is particularly interesting. The governance issue is significant and focuses on the financial sector in Latin America; however, it is difficult to grasp as it gets lost in a technical argument. My recommendation to the authors is that they present a non-technical approach and formulation of the problem and subsequently develop it along those lines. Otherwise, they run the risk of the reader losing sight of the scope of their proposal in terms of governance. Another observation is that, whilst the authors appear to be familiar with the jargon and issues within the scope of their proposal—which is not necessarily the case—the reader may feel lost as to what DeFi, Cashio, Loopscale, Mango Markets and zkLend actually mean. These terms are not explained until the end of the text. This makes it difficult to grasp the ideas.

This is a very clean, well‑scoped measurement that does exactly what it claims: it turns a vague multilingual safety divide concern into a concrete, reproducible eval harness for language-conditioned code auditing, with a carefully controlled translation pipeline and a clear separation between capability issues and language effects via the effort-quality classifier. The cross-model story is especially useful for practitioners since it shows frontier models maintaining 100% detection while an open-weight model exhibits the first signs of CS-sensitivity, and it does so without overclaiming beyond an N=4 twin sample. The main limitations are the small N per cell and partial open-weight coverage mean that the single CS MISS and GPT‑4o’s CS false positives should be treated as flags rather than stable effects, and the same‑family Claude‑judges‑Claude setup leaves some residual concern about scorer bias. A natural next step would be to (i) expand the twin set across more bug classes and VMs, (ii) re‑run the harness with an independent judge (or a small human‑judged subset) to bound any same‑family scoring advantage, and (iii) add at least one more open‑weight family and a quantized deployment to see whether the emerging CS gap at the open‑weight tier persists under more realistic LatAm self‑hosting conditions.

This is a work that addresses a question with genuine practical relevance and does so with a level of methodological care that is notable. The experimental design is thoughtfully assembled, the scope is honestly communicated throughout, and the transparency around what can and cannot be concluded from the available evidence is one of the paper's strongest qualities. The research direction is original and the framing around deployment context adds a layer of real-world relevance that gives the contribution meaning beyond the immediate results.

Where the work naturally invites further development is in the relationship between the strength of the methodology and the weight of the evidence it currently produces. The findings are directional rather than conclusive, which the paper itself acknowledges clearly and consistently, and that honesty is appreciated. A future iteration with a broader empirical base would be well positioned to turn what is currently a promising signal into a more substantive claim, and the groundwork laid here would support that effort effectively.

The writing is precise and the structure is easy to follow, which reflects well on the overall presentation. There are moments where some condensation would improve the reading flow, as a few sections carry ideas that overlap with others nearby, but these are minor observations in an otherwise clean document. The paper reads as the work of someone who understands both the subject and the limits of what a study at this scale can responsibly assert, and that combination is genuinely valuable.

Cite this work

@misc {

title={

(HckPrj) Lost in Translation? Measuring Language-Conditioned Detection-Rate Gaps in AI Code Auditors on Spanish- and Portuguese-Surface Codebases

},

author={

Michael Moffett

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.