Demo: Sample Scan Result

See what ContractScan finds — no login or file upload required.

📊 Scan Results

VulnerableVault.sol · 3 finding(s) Demo

Findings

Critical Reentrancy vulnerability in withdraw() (SWC-107)
The withdraw() function sends ETH to the caller before updating the balance (CEI pattern violation). An attacker can re-enter the function via a malicious fallback and drain the contract. Vulnerable pattern detected: 
function withdraw() public {
    (bool ok,) = msg.sender.call{value: balances[msg.sender]}("");
    require(ok);
    balances[msg.sender] = 0;  // ← updated AFTER external call
}
Fix (Checks-Effects-Interactions pattern): 
function withdraw() public {
    uint amount = balances[msg.sender];
    balances[msg.sender] = 0;  // ← update state FIRST
    (bool ok,) = msg.sender.call{value: amount}("");
    require(ok);
}
⚡ 3 real-world DeFi hacks using this pattern (The DAO $60M, Euler Finance $197M, Cream Finance $130M)
High Missing access control on emergencyWithdraw() (SWC-105)
The emergencyWithdraw() function has no onlyOwner or access modifier. Any address can drain all funds from the contract.
Medium Unchecked return value from low-level call (SWC-104)
The return value of call() is not consistently validated across all code paths. A failed ETH transfer will silently continue execution.

⚠️ Detection Limitations

  • Flash loan / economic attacks
  • Business logic errors specific to your protocol
  • Price oracle manipulation
  • Governance / social engineering attacks
Disclaimer: This is a demo report using a hardcoded example contract. Scan your own contracts at the scanner.

Static analysis powered by Slither (© Trail of Bits, AGPL-3.0)

Try scanning your own contract

3 free scans — no signup required

Upload Your Contract →