Terms of Service

Last updated: April 3, 2026

Plain-language summary: ContractScan is a developer tool for catching common smart contract bugs early — think of it as a spell-checker for Solidity, not a professional auditor. We work hard to give you accurate, useful results. What we cannot do is guarantee security for production deployments. These terms explain those boundaries clearly.

1. Service Description

ContractScan ("the Service") is an automated, multi-engine smart contract security analysis platform that scans Solidity source code for known vulnerability patterns. The Service supports multiple blockchain networks, including Ethereum, Polygon, Arbitrum, Optimism, Base, BSC, and Avalanche. The Service combines multiple independent static analysis engines — including Slither (AGPL-3.0, Trail of Bits), Aderyn (GPL-3.0, Cyfrin), Semgrep, and Mythril — with AI-powered code review to provide cross-engine validated findings. The Service is provided by Raccoon World, a sole proprietorship registered in the Republic of Korea, and is accessible globally via the internet.

2. Scope — Pre-Audit Screening, Not a Security Audit

ContractScan is a pre-audit screening tool. It is designed to help developers catch common, well-catalogued vulnerability classes before they reach a professional auditor — not to replace one.

No Financial Advice: Analysis results are for technical informational purposes only and do not constitute financial, investment, or legal advice. A scan result (whether positive or negative) should not be used as a basis for investment decisions. We are not responsible for any financial losses incurred from investments in contracts analyzed by the Service.

This distinction matters in practice. The DeFi ecosystem has experienced hundreds of millions of dollars in losses from vulnerabilities that were not detected by automated tools alone — including business logic errors, flash loan attack vectors, oracle manipulation, and cross-protocol interaction exploits. These are classes of issues that require human auditors with full protocol context.

No Asset Recovery: The Service does not provide asset recovery services. In the event of a smart contract exploit or loss of funds, we have no ability or obligation to recover, frozen, or return assets.

Our results do not constitute a certification, warranty, or guarantee of smart contract security. For any contract that will manage real funds, we strongly recommend a professional audit from a qualified firm (Trail of Bits, OpenZeppelin, Halborn, Code4rena, etc.) in addition to using this Service.

2.5 Third-Party Service Dependencies

ContractScan relies on third-party services (AI model APIs, payment processing, blockchain explorers) that are outside our direct control. We do not guarantee the availability, accuracy, or uptime of these external services.

  • AI API Downtime: If a third-party AI provider (Anthropic, Google, OpenAI) experiences an outage, scan results may be delayed or degraded. We will make reasonable efforts to restore functionality promptly but are not liable for interruptions caused by third-party provider failures.
  • Extended Outage: If an AI API outage exceeds 4 consecutive hours and prevents completion of a paid scan, you may request a credit or refund for the affected scan via our feedback form.
  • Blockchain Explorers: For scans initiated by contract address, we rely on third-party explorers (Etherscan, Polygonscan, etc.) to fetch source code. We are not responsible for inaccuracies or unavailability of code from these sources.
  • Payment Processing: Our order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries and handles returns. We are not responsible for payment failures, delays, or errors caused by the payment provider or your financial institution. Disputed charges should be raised with Paddle directly.
  • Scheduled Maintenance: Planned maintenance windows are excluded from uptime commitments. We will provide advance notice when possible.

2.7 Trials and Promotional Offers

We may offer free trials or promotional access to Pro features (e.g., the "3-Day Pro Trial" for new visitors during Open Beta). Trial accounts are subject to these Terms, including any usage limits or expiration dates specified in the offer. We reserve the right to modify or terminate trials at any time without prior notice.

3. Our Commitments to You

While we limit liability for what we cannot control, we actively commit to:

  • Accurately representing what the Service can and cannot detect (see Methodology)
  • Handling your code responsibly — anonymous scans process code without storage; registered users' code is stored securely for scan history; your code is never used for AI training
  • Keeping our vulnerability database updated with publicly known patterns
  • Providing clear severity ratings and remediation guidance with every finding
  • Notifying users of any material changes to how the Service works

4. Warranty Exclusions

The Service is provided "as is" and "as available" without warranties of any kind, whether express or implied, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement. This is standard for automated security tooling globally — even enterprise-grade SAST tools (Checkmarx, Veracode, Semgrep) carry equivalent disclaimers.

Specifically, we do not warrant that:

  • The Service will detect all vulnerabilities present in your code
  • Analysis results are complete, accurate, or free from false positives or false negatives
  • A clean scan result means your smart contract is secure for deployment

4.5 Third-Party AI Model & Security Score Limitations

ContractScan uses third-party AI models (Google Gemini, Anthropic Claude, OpenAI GPT) to generate analysis reports and an automated Security Score (0-100) to provide a high-level security assessment. These systems may produce inaccurate, incomplete, or misleading results, including but not limited to:

  • Automated Metrics: The Security Score and Grade (A-F) are purely automated metrics based on detected patterns and cross-engine confidence. They do not represent a definitive judgment on the contract's actual security and should not be used as a guarantee of safety.
  • False positives (flagging code that is not actually vulnerable)
  • False negatives (failing to detect real vulnerabilities)
  • Incorrect severity assessments or remediation suggestions
  • Hallucinated vulnerability patterns or references

We do not warrant the accuracy of AI-generated analysis or the Security Score. These outputs are provided as supplementary information alongside static analysis findings and should not be relied upon as the sole basis for security decisions.

Sole Remedy: If an AI model produces a materially defective report for a paid scan, your exclusive remedy is a re-scan using an alternative AI provider (where available) or a credit for a future scan. Liability for AI model errors shall not exceed the amount paid for the specific scan that produced the error.

5. Limitation of Liability

To the maximum extent permitted by applicable law, the Service provider will not be liable for indirect, incidental, special, consequential, or punitive damages — including financial losses arising from deployment of smart contracts — resulting from your use of or reliance on the Service.

This limitation reflects the fundamental nature of automated security tools: no static analyzer can guarantee the absence of vulnerabilities. Courts in multiple jurisdictions (including the U.S., EU, and Republic of Korea) have consistently upheld equivalent limitations for software security tools, provided the limitation is clearly disclosed — which we are doing here.

Our total liability for direct damages, if any, shall not exceed the amount you paid for the Service in the twelve (12) months preceding the claim. If you have not paid (free tier), our liability is limited to re-performing the affected scan.

6. Code Handling, Data Security & International Transfer (PIPA Notice)

  • Anonymous scans (no login): Source code is processed in an isolated, ephemeral environment and is not retained after analysis
  • Registered users: Source code is stored securely to enable scan history and rescan features; you can delete your scan history at any time from your dashboard
  • Temporary files are securely deleted upon completion of each scan
  • Session metadata (scan counts, timestamps) may be retained for rate limiting and service operation

International Data Transfer Notice (PIPA Article 22 / GDPR Article 46):
Your smart contract source code is transmitted to the following third-party AI service providers for analysis purposes. These providers operate servers located in the United States.

  • Anthropic Claude API — servers located in the United States. Your code is subject to Anthropic's Privacy Policy and is not used for model training under their enterprise API terms.
  • Google Gemini API — servers located in the United States. Your code is subject to Google's Privacy Policy and is not used for model training under their API terms.
  • OpenAI GPT API — servers located in the United States. Your code is subject to OpenAI's Privacy Policy and is not used for model training under their API terms.

By submitting a scan, you explicitly consent to this international transfer of your source code outside the Republic of Korea (and, where applicable, the European Economic Area). If you do not consent, do not use the Service. You will also be asked to confirm this consent interactively before your first scan.

For EU users: international transfers rely on the AI providers' Standard Contractual Clauses (SCC) as the legal transfer mechanism.

7. BYOK (Bring Your Own Key)

When using the BYOK feature to provide your own AI model API key:

  • Your key is used for that single request only and is not stored by the Service
  • You are responsible for your key's security and any associated API costs
  • BYOK is available only over HTTPS connections

8. Acceptable Use

You agree not to use the Service to:

  • Upload malicious code intended to compromise the analysis infrastructure
  • Circumvent rate limits or otherwise abuse the Service
  • Facilitate activities that are illegal under the laws of the Republic of Korea or your home jurisdiction
  • Attempt to reverse-engineer the Service's internal systems

9. Governing Law & Dispute Resolution

These Terms are governed by the laws of the Republic of Korea (including the Act on the Consumer Protection in Electronic Commerce). For users accessing the Service from within the European Union, nothing in these Terms limits rights you may have under applicable EU consumer protection law. For users in other jurisdictions, your local mandatory consumer protection laws may apply where they cannot be contractually waived.

We encourage resolving disputes informally first — please contact us before initiating formal proceedings. For disputes that cannot be resolved informally, the parties agree to the exclusive jurisdiction of the courts of the Republic of Korea, except where applicable law requires otherwise.

10. Refund & Cancellation

Full details are available on our Refund & Cancellation Policy page. Key points:

  • 14-Day Refund Window: You may request a full refund within 14 days of purchase for any reason.
  • Subscriptions: Cancel any time; access continues through the end of the current billing period.
  • Service Failures: If a scan fails due to a Service error, we will either re-run the scan or issue a refund.

Refund requests are processed through Paddle, our Merchant of Record. Contact Paddle support or use our feedback form to initiate a refund.

11. Open Source Components

ContractScan uses the following open source tools in its analysis pipeline:

  • Slither — smart contract static analyzer by Trail of Bits, licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). Slither is invoked as a subprocess CLI tool; its source code is not bundled with or distributed as part of ContractScan.
  • Aderyn — Rust-based Solidity AST analyzer by Cyfrin, licensed under the GNU General Public License v3.0 (GPL-3.0). Aderyn is invoked as a subprocess CLI tool; its source code is not bundled with or distributed as part of ContractScan.
  • Semgrep — pattern-matching engine; ContractScan's custom Semgrep rules are MIT-licensed.
  • Mythril — symbolic execution engine by ConsenSys, MIT-licensed.

Full license texts are available on our Open Source Licenses page and on the respective project pages linked above.

12. Changes to Terms

We may update these Terms from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will provide notice via the Service and, where you have registered an email address with us, by email to the address associated with your account. Continued use of the Service after changes become effective constitutes acceptance of the revised Terms.