Third-Party Notices — ContractScan
This file lists every third-party component integrated into ContractScan, ordered by
license risk tier. It satisfies attribution requirements for all OSS licenses and
serves as the canonical offer-of-source notice for AGPL/GPL components.
Isolation note: All external analysis engines are invoked as sandboxed subprocess
CLI tools via bwrap (bubblewrap). ContractScan does not link against, import, or
distribute their source code. This constitutes "mere aggregation" under the GPL/AGPL
definitions — ContractScan's proprietary source code is NOT subject to copyleft
requirements as a result of this architecture. We nonetheless provide full attribution
and offer-of-source links below as a conservative compliance measure.
Red Tier — AGPL-3.0 / GPL components (subprocess-isolated, offer-of-source required)
Slither — Smart Contract Static Analyzer
- Author: Trail of Bits
- License: GNU Affero General Public License v3.0 (AGPL-3.0)
- Source / Offer-of-Source: https://github.com/crytic/slither
- License text: https://www.gnu.org/licenses/agpl-3.0.html
- Usage: Invoked as a subprocess CLI tool via sandboxed
bwrap execution. Not
imported as a Python library. No AGPL copyleft obligation propagates to ContractScan
under the aggregation doctrine.
Aderyn — Rust-Based Solidity AST Analyzer
4naly3er — Solidity Static Analyzer
solmate — Solidity Library
- Author: Transmissions11 / Rari Capital
- License: AGPL-3.0-only
- Source / Offer-of-Source: https://github.com/transmissions11/solmate
- License text: https://www.gnu.org/licenses/agpl-3.0.html
- Usage: Vendored as a reference / import-resolution library for static analysis
only. The Solidity source files are not compiled into or distributed with ContractScan.
They are used solely to resolve imports when analyzing user-submitted contracts.
solodit_content — Audit Findings Database
- Author: Solodit / Cyfrin
- License: GNU Affero General Public License v3.0 (AGPL-3.0)
- Source / Offer-of-Source: https://github.com/solodit/solodit_content
- License text: https://www.gnu.org/licenses/agpl-3.0.html
- Usage: ContractScan's
audit_intel.py collector fetches Markdown audit reports via
the GitHub public API. Only structured metadata (finding title, severity, brief
description excerpt ≤ 600 chars, impact excerpt ≤ 300 chars) is stored in
data/audit_findings_db.json. Full report bodies are not mirrored or redistributed.
Attribution is displayed on all pages that surface these findings.
@uniswap/v2-core — Uniswap V2 Core Contracts
@uniswap/v2-periphery — Uniswap V2 Periphery Contracts
@uniswap/v3-periphery — Uniswap V3 Periphery Contracts
Yellow Tier — LGPL / Attribution-required components
Semgrep — Pattern-Matching Static Analysis Engine
- Author: Semgrep, Inc.
- License: GNU Lesser General Public License v2.1 (LGPL-2.1)
- Source / Offer-of-Source: https://github.com/semgrep/semgrep
- License text: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
- Usage: Invoked as a subprocess CLI tool. Not linked or imported. LGPL-2.1
obligations are satisfied by subprocess invocation.
- Rules: All Semgrep rules shipped with ContractScan are original works licensed
under MIT (src/scanner/rules/semgrep/custom/LICENSE). ContractScan does NOT use
the Semgrep-rules repository (Semgrep Rules License v1.0 — prohibited in SaaS) or
the Decurity/semgrep-smart-contracts rules (CC BY-NC-SA 4.0 — non-commercial only).
forge-std — Foundry Standard Library
Green Tier — Permissive licenses (MIT / BSD / BUSL reference use)
Mythril — Symbolic Execution Security Analysis
Anthropic Python SDK
OpenAI Python SDK
Google Generative AI Python SDK
@openzeppelin/contracts (v5, v4, v3) — OpenZeppelin Smart Contract Library
@openzeppelin/contracts-upgradeable (v5, v4) — OpenZeppelin Upgradeable Library
solady — Optimized Solidity Snippets
@aave/core-v3 — Aave V3 Core Contracts
- Author: Aave Labs
- License: BUSL-1.1 (Business Source License)
- Source: https://github.com/aave/aave-v3-core
- Usage: Vendored as reference library for import resolution during static analysis.
BUSL-1.1 permits non-production use. Solely used for import resolution, not deployed.
@chainlink/contracts — Chainlink Smart Contracts
@uniswap/v3-core — Uniswap V3 Core Contracts
Threat Intelligence Sources
ContractScan's audit_intel.py and c4_sherlock_intel.py collectors fetch publicly
available audit finding metadata from the following sources. Only brief excerpts
(titles, severity, short descriptions) are stored. Full report bodies are not mirrored.
| Source |
Repository |
License / Terms |
What we store |
| Solodit (Cyfrin) |
solodit/solodit_content |
AGPL-3.0 |
Title, severity, ≤600-char description, ≤300-char impact |
| Code4rena |
code-423n4 org |
CC0 (warden findings) / Proprietary (consolidated reports) |
Title, severity, brief excerpt from individual warden findings only |
| Sherlock |
sherlock-audit org |
Public GitHub repositories |
Title, severity, brief excerpt from public finding files |
| DeFiHackLabs |
SunWeb3Sec/DeFiHackLabs |
MIT |
Incident title, date, brief description |
| SCV-List |
sirhashalot/SCV-List |
Public |
Vulnerability pattern metadata |
Attribution is displayed alongside every finding surfaced from these sources.
Last updated: 2026-04-27. Maintained by Raccoon World.