Smart contract vulnerabilities have caused billions of dollars in losses across the DeFi ecosystem. Professional security audits cost $8,000–$50,000+ and take weeks — putting them out of reach for independent developers and small teams.
ContractScan exists to democratize smart contract security. We combine multiple industry-standard analysis engines with AI to deliver instant, actionable vulnerability reports — no setup, no CLI, no waiting.
Our goal: every Solidity developer should be able to check their code for known vulnerabilities before deployment, regardless of budget.
Three steps to a comprehensive vulnerability report.
Upload your Solidity source code or paste it directly into the scanner.
Static analysis engine and AI automatically scan your code for known vulnerability patterns.
Review your vulnerability report instantly, complete with SWC classification and remediation guidance.
Our ultimate goal: detect every vulnerability type ever exploited in production — using real-world case data, not just theoretical patterns.
Every vulnerability ever exploited in a production smart contract should be detectable — automatically, before deployment.
We are systematically collecting and indexing every documented DeFi exploit, professional audit finding, and vulnerability pattern to build the most comprehensive smart contract security intelligence database available. The goal is not just pattern matching — it is case-based detection: if a vulnerability caused a real loss, we track it, index it, and detect it.
A transparent look at how ContractScan detects smart contract vulnerabilities.
ContractScan runs 5 analysis engines in parallel, each using a different detection technique. Enterprise plans add Foundry Fuzz as a 6th engine. Findings confirmed by multiple engines are marked "confirmed" for highest confidence.
| Engine | Method | Plan | Detects |
|---|---|---|---|
| Slither | Static analysis + data flow | QuickScan | Reentrancy, access control, arithmetic, storage issues, 90+ core patterns |
| Semgrep | Pattern matching | QuickScan | Unchecked ERC20 transfers, tx.origin, reentrancy, floating pragma, oracle spot price |
| Mythril | Symbolic execution | Pro | Integer overflow, assertion violations, unprotected ether, SWC 37-category coverage |
| Aderyn | AST analysis | Pro | Centralization risks, unsafe casting, unused returns, storage issues, Cyfrin-maintained rules |
| Foundry Fuzz | Dynamic fuzz testing | Enterprise | Edge-case arithmetic, state-dependent bugs, invariant violations via randomized inputs |
| AI (LLM) | Code reasoning | Full Scan | Flash loan surfaces, oracle manipulation, MEV, governance attacks, proxy risks, ERC compliance |
Cross-engine confidence scoring: verified = different methodologies agree · high confidence = 3+ engines · confirmed = 2 engines · likely = 1 static engine · potential = AI-only
Engine availability depends on the smart contract language. Solidity contracts receive full multi-engine analysis, while Rust/Near contracts are currently analyzed by the AI engine only.
| Engine | Solidity (.sol) | Rust/Near (.rs) |
|---|---|---|
| Slither | ✓ Supported | — Not available |
| Semgrep | ✓ Supported | — Not available |
| Mythril | ✓ Supported | — Not available |
| Aderyn | ✓ Supported | — Not available |
| Foundry Fuzz | ◎ Enterprise | — Not available |
| AI (LLM) | ✓ Supported | ✓ Supported |
Rust/Near support is AI-powered analysis — the AI engine reasons about code patterns, access control, storage safety, and Near-specific risks. Static analysis engine support for Rust is on our roadmap.
| Category | Examples | SWC Reference |
|---|---|---|
| Reentrancy | State changes after external calls, ERC777/ERC1155 callbacks, cross-function reentrancy | SWC-107 |
| Access Control | Unprotected functions, tx.origin misuse, missing modifiers | SWC-105, SWC-115 |
| Arithmetic | Overflow/underflow, division before multiply, precision loss | SWC-101 |
| Flash Loans / DeFi | AMM spot price as oracle, single-block price manipulation, MEV sandwich exposure | DeFiHackLabs patterns |
| Denial of Service | Failed call loops, msg.value in loops, block gas limit | SWC-113, SWC-128 |
| Randomness | Predictable PRNG sources (block.timestamp, blockhash) | SWC-120, SWC-116 |
| Upgrade / Proxy Safety | Unprotected upgrade functions, storage collision, uninitialized implementation | SWC-118 |
| Low-level Calls | Unchecked return values, dangerous delegatecall, hardcoded gas | SWC-104, SWC-112, SWC-134 |
| Signature Security | Signature malleability, replay attacks, missing nonce/chainId | SWC-117, SWC-121 |
| State Management | Uninitialized storage, variable shadowing, incorrect inheritance | SWC-109, SWC-119, SWC-125 |
| Code Quality | Self-destruct usage, deprecated functions, unused variables, hash collisions | SWC-106, SWC-111, SWC-131, SWC-133 |
| Privacy | Unencrypted private data on-chain | SWC-136 |
Findings aggregated from public audit reports, competitive auditing platforms, and on-chain post-mortems. Updated daily.
ContractScan automatically collects and indexes real-world DeFi security incidents and professional audit findings from 7 public threat feeds to keep detection patterns current with emerging attack vectors.
We'd love to hear from you — whether it's feedback, partnership inquiries, or support questions.
Email: contractscan.raccoonworld@gmail.com
Website: contract-scanner.raccoonworld.xyz
Feedback: Submit feedback →
⚠️ Important: ContractScan is a pre-audit screening tool. Results should be treated as a preliminary check only and do not constitute a professional security audit.
Always obtain a professional security audit before deploying smart contracts that manage significant value.
Learn about our analysis methodology →