Frequently Asked Questions
ContractScan is a Solidity smart contract security analysis tool. It runs 4 static analysis engines — Slither, Mythril, Semgrep, and Aderyn — plus AI analysis simultaneously, and shows results from each engine separately.
Yes. QuickScan is free and requires no login. You get unlimited Slither + Semgrep analysis at no cost.
Full multi-engine analysis (up to 6 engines), CI/CD integration, and GitHub Action are available on the paid Pro plan ($59/mo).
Ethereum, Polygon, Arbitrum, Optimism, Base, BSC, Avalanche — 7 chains supported.
Slither alone misses vulnerability types that Mythril, Semgrep, and Aderyn detect. Each engine uses a different analysis methodology, and one engine often catches what another misses.
Setting up Slither locally also requires solc version management and dependency installation — typically 30+ minutes of setup. ContractScan runs up to 6 engines instantly from a single URL.
General-purpose LLMs hallucinate frequently and have limitations in accurate vulnerability detection. ContractScan uses static analysis engine results (Slither, Mythril, etc.) as a foundation, and AI provides supplementary analysis on top. The AI doesn't judge alone — it explains and suggests fixes based on facts detected by the engines.
No. ContractScan is a pre-audit screening tool. It's ideal for catching obvious vulnerabilities before a formal audit. Due to the nature of automated tools, some complex vulnerabilities (like business logic bugs) may not be detected.
Every report includes a disclaimer: "AI-assisted pre-check tool — not a substitute for professional audits."
Yes. MythX shut down in 2026, but ContractScan includes the open-source Mythril engine (MythX's core). You can check Mythril analysis results immediately with no extra setup.
It appears when 2 or more engines independently detect the same vulnerability. These findings have higher confidence and lower false-positive rates than single-engine detections.
Compared to competitors (SolidityScan $199.99/mo), this is roughly 1/3 the price.
QuickScan is permanently free. If Pro ($59/mo) is too much, use Pay-Per-Scan ($4.99/scan) on demand.
Considering that formal security audits cost thousands of dollars, using ContractScan to eliminate obvious vulnerabilities upfront can reduce overall audit costs.
It depends on whether you are logged in. For anonymous scans (no login), source code is processed ephemerally and deleted immediately after analysis — we never retain it. For registered users, source code is stored securely to enable scan history and rescan features. You can delete your scan history at any time from your dashboard.
Yes. The Enterprise plan supports BYOK (Bring Your Own Key) — use your own Anthropic/OpenAI API key so you control the exact path your code takes to AI services.
Add this to your workflow:
# .github/workflows/security.yml
- name: ContractScan Security Check
uses: contractscan/action@v1
with:
api-key: ${{ secrets.CONTRACTSCAN_API_KEY }}
path: contracts/Scans run automatically on each PR, and vulnerabilities appear as inline comments.
Yes. We provide both a REST API and an MCP server:
POST /quickscan — free, no auth neededPOST /ci/scan — see CI/CD docsPOST /scan — requires Pro API keycontractscan-mcp — scan directly from LLM agents like Claude CodePlease let us know via the feedback form, Discord #support channel, or GitHub Issues. During Beta we respond on a best-effort basis.
Audit firms interested in using the ContractScan API for initial screening are welcome to inquire about partnership opportunities via the contact page.