FAQ

What is ContractScan? #

ContractScan is a Solidity smart contract security analysis tool. It runs 4 static analysis engines — Slither, Mythril, Semgrep, and Aderyn — plus AI analysis simultaneously, and shows results from each engine separately.

Is it free? #

Yes. QuickScan is free and requires no login. You get unlimited Slither + AI analysis at no cost.

Full 5-engine analysis, CI/CD integration, and GitHub Action are available on the paid Pro plan ($59/mo).

Which chains are supported? #

Ethereum, Polygon, Arbitrum, Optimism, Base, BSC, Avalanche — 7 chains supported.

I can use Slither directly — why use ContractScan? #

Slither alone misses vulnerability types that Mythril, Semgrep, and Aderyn detect. Each engine uses a different analysis methodology, and one engine often catches what another misses.

Setting up Slither locally also requires solc version management and dependency installation — typically 30+ minutes of setup. ContractScan runs all 5 engines instantly from a single URL.

ChatGPT/Claude can also analyze contracts — how is this different? #

General-purpose LLMs hallucinate frequently and have limitations in accurate vulnerability detection. ContractScan uses static analysis engine results (Slither, Mythril, etc.) as a foundation, and AI provides supplementary analysis on top. The AI doesn't judge alone — it explains and suggests fixes based on facts detected by the engines.

Can it replace a formal security audit? #

No. ContractScan is a pre-audit screening tool. It's ideal for catching obvious vulnerabilities before a formal audit. Due to the nature of automated tools, some complex vulnerabilities (like business logic bugs) may not be detected.

Every report includes a disclaimer: "AI-assisted pre-check tool — not a substitute for professional audits."

I was using MythX — can I migrate? #

Yes. MythX shut down in 2026, but ContractScan includes the open-source Mythril engine (MythX's core). You can check Mythril analysis results immediately with no extra setup.

What is the "Confirmed" badge? #

It appears when 2 or more engines independently detect the same vulnerability. These findings have higher confidence and lower false-positive rates than single-engine detections.

How much does Pro cost? #

• QuickScan: Free, unlimited (Slither + AI)
• Pay-Per-Scan: $11.90/scan (all 5 engines)
• Pro: $59/month (unlimited full-engine scans + CI/CD API + GitHub Action)

Compared to competitors (SolidityScan $199.99/mo), this is roughly 1/3 the price.

It's too expensive. #

QuickScan is permanently free. If Pro ($59/mo) is too much, use Pay-Per-Scan ($11.90/scan) on demand.

Considering that formal security audits cost thousands of dollars, using ContractScan to eliminate obvious vulnerabilities upfront can reduce overall audit costs.

Is my contract code stored? #

No. Source code submitted for scanning is deleted immediately after analysis. We do not store or share it.

Can I use my own AI key on the Enterprise plan? #

Yes. The Enterprise plan supports BYOK (Bring Your Own Key) — use your own Anthropic/OpenAI API key so you control the exact path your code takes to AI services.

How do I use the GitHub Action? #

Add this to your workflow:

# .github/workflows/security.yml
- name: ContractScan Security Check
  uses: contractscan/action@v1
  with:
    api-key: ${{ secrets.CONTRACTSCAN_API_KEY }}
    path: contracts/

Scans run automatically on each PR, and vulnerabilities appear as inline comments.

Can I integrate directly via API? #

Yes. We provide both a REST API and an MCP server:

• REST API: POST /api/scan
• MCP: contractscan-mcp — scan directly from LLM agents like Claude Code

I found a bug or have feedback. #

Please let us know via the feedback form, Discord #support channel, or GitHub Issues. During Beta we respond on a best-effort basis.

I'm an audit firm interested in a partnership. #

Audit firms interested in using the ContractScan API for initial screening are welcome to inquire about partnership opportunities via the contact page.