Static analysis tool for Ethereum smart contracts. Paste a contract address, get a graded risk report (A-F) covering 30+ security patterns across 9 categories.
Stack: Python 3 · Etherscan API · regex · stdlib http.server
I kept seeing rug pulls where the risk patterns were obvious in hindsight: hidden mint functions, uncapped supply, admin keys with no timelock. I wanted a tool that would surface these statically before touching a contract. This scanner fetches verified source from Etherscan and runs it through a weighted scoring engine in seconds.
Etherscan API --> Scanner --> Scorer --> Report --> Markdown
(source) (patterns) (grading) (assembly) (output)
- Fetch verified source code from Etherscan V2 API
- Detect proxy contracts (EIP-1967, UUPS, Transparent, Beacon) and fetch implementation source
- Scan all source filegainst 30+ regex patterns
- Score findings across 5 weighted dimensions into a letter grade
- Render a markdown report with findings, scores, and verdict
| Category | What It Detects |
|---|---|
| Admin Privileges | onlyOwner, ownership transfer, admin setters |
| Upgradeability | Proxy patterns, delegatecall, upgrade functions |
| Mint/Supply | Mint functions, supply caps (positive signal) |
| Pause Mechanism | whenNotPaused, pause/unpause controls |
| Blacklist/Whitelist | Address blocking, freezing, whitelist gates |
| Self-Destruct | selfdestruct / suicide calls |
| Hidden Fees | Fee setters, buy/sell tax variables |
| Reentrancy | External calls, reentrancy guards (positive signal) |
| Hardcoded Addresses | Embedded addresses in contract logic |
| Dimension | Weight |
|---|---|
| Admin/Centralization | 30% |
| Upgradeability | 20% |
| Security Patterns | 20% |
| Mint/Supply | 15% |
| Transparency | 15% |
Weighted total maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (under 40). Positive patterns like supply caps and reentrancy guards improve scores. Vyper contracts receive N/A since all patterns are Solidity-specific.
pip install -r requirements.txt
Create a .env file:
ETHERSCAN_API_KEY=your_key_here
Free key at https://etherscan.io/apis (5 requests/sec on free tier).
python3 main.py 0xdAC17F958D2ee523a2206206994597C13D831ec7
Outputs a markdown report saved to reports/. Add --json for raw JSON output.
python3 web.py
Open http://localhost:8000. Paste any contract address, get a visual report with a color-coded grade.
main.py CLI entry point
web.py Web UI (built-in http.server, zero extra deps)
etherscan.py Etherscan API client
scanner.py Regex pattern engine
scorer.py Weighted scoring engine
report.py Pipeline orchestrator
markdown_report.py Markdown renderer
- Static analysis only, cannot determine runtime behavior
- Pattern matching may produce false positives in benign contexts
- Does not analyze bytecode, transaction history, or off-chain governance
- Vyper contracts are detected but not scanned
- Proxy implementations may have been upgraded since scan time
ethereum solidity smart-contracts security static-analysis defi python etherscan rug-pull