Demo: Sample Scan Result

See what ContractScan finds — no login or file upload required.

📊 Scan Results

VulnerableVault.sol · 3 finding(s) Demo

Findings

Critical ⚡⚡ Verified Reentrancy vulnerability in withdraw() (slither, mythril, semgrep) (SWC-107)
The withdraw() function sends ETH to the caller before updating the balance (CEI pattern violation). An attacker can re-enter the function via a malicious fallback and drain the contract. Vulnerable pattern detected: 
function withdraw() public {
    (bool ok,) = msg.sender.call{value: balances[msg.sender]}("");
    require(ok);
    balances[msg.sender] = 0;  // ← updated AFTER external call
}
Fix (Checks-Effects-Interactions pattern): 
function withdraw() public {
    uint amount = balances[msg.sender];
    balances[msg.sender] = 0;  // ← update state FIRST
    (bool ok,) = msg.sender.call{value: amount}("");
    require(ok);
}
⚡ 3 real-world DeFi hacks using this pattern (The DAO $60M, Euler Finance $197M, Cream Finance $130M)
High ⚡ Confirmed Missing access control on emergencyWithdraw() (slither, semgrep) (SWC-105)
The emergencyWithdraw() function has no onlyOwner or access modifier. Any address can drain all funds from the contract.
Medium Likely Unchecked return value from low-level call (SWC-104)
The return value of call() is not consistently validated across all code paths. A failed ETH transfer will silently continue execution.

⚠️ Detection Limitations

  • Flash loan / economic attacks
  • Business logic errors specific to your protocol
  • Price oracle manipulation
  • Governance / social engineering attacks
Important Note: This is a demo report using a hardcoded example contract. Scan your own contracts at the scanner.

Multi-engine static analysis · Methodology · Open-source attributions

Try scanning your own contract

1 free scan — no signup required

Upload Your Contract →