title: Smart Contract Security Scanner
emoji: 🔒
colorFrom: yellow
colorTo: blue
sdk: docker
pinned: false
license: mit
Smart Contract Security Scanner
Question
Can we make a first-pass Solidity security review transparent and educational?
System Boundary
This Streamlit Space is a rule-based audit assistant. It is not a formal verifier and should not be used as the sole basis for deployment decisions.
Method
The app scans Solidity source code for high-signal patterns such as reentrancy-shaped value transfers, tx.origin authorization, delegatecall, missing events, and low-level calls. Each finding includes evidence, severity, reason, and remediation.
Technique
This is static-analysis triage. Rules search source code for patterns that correlate with common vulnerability classes.
The method is deliberately interpretable: each rule has an ID, evidence span, severity, reason, and fix.
Output
The app returns a risk score, finding table, severity breakdown, and extension notes.
Why It Matters
Security tools should teach the reader what was detected and why. Transparent rules are a useful baseline before adding model-based triage.
What To Notice
A finding is not automatically a vulnerability. It is a reason to inspect a line of code more carefully.
Effect In Practice
Rule-based triage can catch obvious risks early, create labeled examples for training, and provide context for a model-based security assistant.
Hugging Face Extension
The Space can publish vulnerable and fixed Solidity snippets as a Dataset and compare rule-based, LLM-based, and hybrid scanners.
Limitations
Rule-based scanners miss many vulnerabilities and can produce false positives. Production auditing should combine static analysis, tests, formal methods, expert review, and model-assisted explanation.
Run Locally
pip install -r requirements.txt
streamlit run app.py