README.md

---
title: Smart Contract Security Scanner
emoji: 🔒
colorFrom: yellow
colorTo: blue
sdk: docker
pinned: false
license: mit
---

# Smart Contract Security Scanner

## Question

Can we make a first-pass Solidity security review transparent and educational?

## System Boundary

This Streamlit Space is a rule-based audit assistant. It is not a formal verifier and should not be used as the sole basis for deployment decisions.

## Method

The app scans Solidity source code for high-signal patterns such as reentrancy-shaped value transfers, `tx.origin` authorization, `delegatecall`, missing events, and low-level calls. Each finding includes evidence, severity, reason, and remediation.

## Technique

This is static-analysis triage. Rules search source code for patterns that correlate with common vulnerability classes.

The method is deliberately interpretable: each rule has an ID, evidence span, severity, reason, and fix.

## Output

The app returns a risk score, finding table, severity breakdown, and extension notes.

## Why It Matters

Security tools should teach the reader what was detected and why. Transparent rules are a useful baseline before adding model-based triage.

## What To Notice

A finding is not automatically a vulnerability. It is a reason to inspect a line of code more carefully.

## Effect In Practice

Rule-based triage can catch obvious risks early, create labeled examples for training, and provide context for a model-based security assistant.

## Hugging Face Extension

The Space can publish vulnerable and fixed Solidity snippets as a Dataset and compare rule-based, LLM-based, and hybrid scanners.

## Limitations

Rule-based scanners miss many vulnerabilities and can produce false positives. Production auditing should combine static analysis, tests, formal methods, expert review, and model-assisted explanation.

## Run Locally

```bash
pip install -r requirements.txt
streamlit run app.py
```