Terms of Service

Last updated: March 25, 2026

Plain-language summary: ContractScan is a developer tool for catching common smart contract bugs early — think of it as a spell-checker for Solidity, not a professional auditor. We work hard to give you accurate, useful results. What we cannot do is guarantee security for production deployments. These terms explain those boundaries clearly.

1. Service Description

ContractScan ("the Service") is an automated, AI-assisted static analysis tool that scans Solidity smart contract source code for known vulnerability patterns. The Service is provided by a sole proprietorship registered in the Republic of Korea and is accessible globally via the internet.

2. Scope — Pre-Audit Screening, Not a Security Audit

ContractScan is a pre-audit screening tool. It is designed to help developers catch common, well-catalogued vulnerability classes before they reach a professional auditor — not to replace one.

This distinction matters in practice. The DeFi ecosystem has experienced hundreds of millions of dollars in losses from vulnerabilities that were not detected by automated tools alone — including business logic errors, flash loan attack vectors, oracle manipulation, and cross-protocol interaction exploits. These are classes of issues that require human auditors with full protocol context.

Our results do not constitute a certification, warranty, or guarantee of smart contract security. For any contract that will manage real funds, we strongly recommend a professional audit from a qualified firm (Trail of Bits, OpenZeppelin, Halborn, Code4rena, etc.) in addition to using this Service.

3. Our Commitments to You

While we limit liability for what we cannot control, we actively commit to:

  • Accurately representing what the Service can and cannot detect (see Methodology)
  • Processing your code ephemerally — it is never stored or used for training
  • Keeping our vulnerability database updated with publicly known patterns
  • Providing clear severity ratings and remediation guidance with every finding
  • Notifying users of any material changes to how the Service works

4. Disclaimer of Warranties

The Service is provided "as is" and "as available" without warranties of any kind, whether express or implied, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement. This is standard for automated security tooling globally — even enterprise-grade SAST tools (Checkmarx, Veracode, Semgrep) carry equivalent disclaimers.

Specifically, we do not warrant that:

  • The Service will detect all vulnerabilities present in your code
  • Analysis results are complete, accurate, or free from false positives or false negatives
  • A clean scan result means your smart contract is secure for deployment

5. Limitation of Liability

To the maximum extent permitted by applicable law, the Service provider will not be liable for indirect, incidental, special, consequential, or punitive damages — including financial losses arising from deployment of smart contracts — resulting from your use of or reliance on the Service.

This limitation reflects the fundamental nature of automated security tools: no static analyzer can guarantee the absence of vulnerabilities. Courts in multiple jurisdictions (including the U.S., EU, and Republic of Korea) have consistently upheld equivalent limitations for software security tools, provided the limitation is clearly disclosed — which we are doing here.

Our total liability for direct damages, if any, shall not exceed the amount you paid for the Service in the twelve (12) months preceding the claim. If you have not paid (free tier), our liability is limited to re-performing the affected scan.

6. Code Handling & Data Security

  • Uploaded source code is processed in an isolated, ephemeral environment and is not retained after analysis
  • Temporary files are securely deleted upon completion of each scan
  • Source code is transmitted to AI model providers solely for analysis; it is subject to their respective privacy policies and is not used for model training under their enterprise terms
  • Session metadata (scan counts, timestamps) may be retained for rate limiting and service operation

7. BYOK (Bring Your Own Key)

When using the BYOK feature to provide your own AI model API key:

  • Your key is used for that single request only and is not stored by the Service
  • You are responsible for your key's security and any associated API costs
  • BYOK is available only over HTTPS connections

8. Acceptable Use

You agree not to use the Service to:

  • Upload malicious code intended to compromise the analysis infrastructure
  • Circumvent rate limits or otherwise abuse the Service
  • Facilitate activities that are illegal under the laws of the Republic of Korea or your home jurisdiction
  • Attempt to reverse-engineer the Service's internal systems

9. Governing Law & Dispute Resolution

These Terms are governed by the laws of the Republic of Korea (including the Act on the Consumer Protection in Electronic Commerce). For users accessing the Service from within the European Union, nothing in these Terms limits rights you may have under applicable EU consumer protection law. For users in other jurisdictions, your local mandatory consumer protection laws may apply where they cannot be contractually waived.

We encourage resolving disputes informally first — please contact us before initiating formal proceedings. For disputes that cannot be resolved informally, the parties agree to the exclusive jurisdiction of the courts of the Republic of Korea, except where applicable law requires otherwise.

10. Changes to Terms

We may update these Terms from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will provide notice via the Service. Continued use of the Service after changes become effective constitutes acceptance of the revised Terms.