The #1 AI-Powered Smart Contract Auditor for GitHub CI/CD
⚡ From install to first vulnerability caught in < 60 seconds.
Web3 Security · DeFi Auditor · Reentrancy Scanner · Flash Loan Defense · Solana CPI Security · Foundry Fuzzing · Smart Contract Security Bot · Gas Optimizer · MEV Protection · Slither GitHub Action · Automated Bug Bounty
| Problem | Our Solution |
|---|---|
| 🐛 Manual audits cost $50,000+ and take weeks | ⚡ Instant automated scanning on every Pull Request |
| 🔇 Slither alone generates 60%+ false positives | 🤖 AI Validator suppresses false positives with 99% accuracy |
| ⛽ Gas inefficiencies waste thousands of $ in deployments | 📊 AST Gas Optimizer finds exact savings per line |
| 🔗 No unified tool for EVM + Solana + Fuzz testing | 🌐 Multi-chain engine — Solidity, Rust, and Foundry in one |
| 💳 Web3 devs hate credit card paywalls | 💎 Hybrid billing — Pay with USDC or Stripe |
| Feature | 🆓 Free | 💎 PRO (Web3 Indie) | 🏢 Enterprise (B2B) |
|---|---|---|---|
| AST-Based Structural Analysis | ✅ | ✅ | ✅ |
| Inline PR Bot Comments | ✅ | ✅ | ✅ |
| Foundry Fuzz Testing | ✅ | ✅ | ✅ |
| Solana / Rust Native Scanning | ✅ | ✅ | ✅ |
| Deep AI Logical Flaw Detection | ❌ | ✅ | ✅ |
| False-Positive Suppression (99%) | ❌ | ✅ | ✅ |
| AST Gas Optimization Engine | ❌ | ✅ | ✅ |
| Reentrancy & Flash Loan Defense | ❌ | ✅ | ✅ |
| Payment | Free Forever | Metered x402 (USDC) | Fiat / Stripe |
Drop one of these templates into .github/workflows/audit.yml in your repository.
Best for open-source projects wanting basic AST structural analysis without AI/Gas features.
name: "Web3 Security Audit"
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Security Scanner
uses: mvmax-dev/solidity-security-scanner@main
with:
github_token: ${{ secrets.GITHUB_TOKEN }}Unlocks the AI Validator, False-Positive Suppression, and Gas Optimization.
name: "Web3 Security Audit PRO"
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-scanner-${{ github.sha }}
- name: Run Security Scanner PRO
uses: mvmax-dev/solidity-security-scanner@main
with:
wallet_address: "0xYourWalletAddress" # Required for Web3 Metered billing
enterprise_key: ${{ secrets.SCANNER_KEY }} # Required for Stripe billing
github_token: ${{ secrets.GITHUB_TOKEN }}
fuzz_runs: "512" # Optional: increase Foundry fuzzing depth
env:
ETHERSCAN_API_KEY: ${{ secrets.ETHERSCAN_API_KEY }}
BASESCAN_API_KEY: ${{ secrets.BASESCAN_API_KEY }}When the scanner runs on your PR, it produces a JSON report and posts inline comments directly on vulnerable lines:
🔍 Click to see example scan output
{
"scan_result": {
"total_findings": 3,
"severity_counts": {
"Critical": 1,
"High": 1,
"Medium": 1
},
"risk_score": 82,
"findings": [
{
"rule_id": "REENTRANCY-001",
"name": "Reentrancy Vulnerability",
"severity": "Critical",
"description": "External call to msg.sender before state update. Attacker can re-enter withdraw() and drain funds.",
"filepath": "contracts/Vault.sol",
"line_number": 47,
"recommendation": "Apply Checks-Effects-Interactions pattern or use ReentrancyGuard."
},
{
"rule_id": "ACCESS-003",
"name": "Unprotected Selfdestruct",
"severity": "High",
"description": "selfdestruct() callable without onlyOwner modifier. Any address can destroy this contract.",
"filepath": "contracts/Vault.sol",
"line_number": 82,
"recommendation": "Add 'onlyOwner' modifier or remove selfdestruct entirely."
},
{
"rule_id": "GAS-001",
"name": "Uncached Array Length in Loop",
"severity": "Medium",
"description": "Array .length accessed in loop condition. Wastes ~100 gas per iteration.",
"filepath": "contracts/Vault.sol",
"line_number": 31,
"recommendation": "Cache array length: uint256 len = arr.length;"
}
],
"gas_optimization": {
"estimated_savings": "100 - 1000 Gas",
"findings_count": 1
}
}
}Inline PR Comment Example:
[Critical] Reentrancy Vulnerability External call to
msg.senderbefore state update on line 47. Attacker can re-enterwithdraw()and drain all funds.💡 Fix: Apply Checks-Effects-Interactions pattern or add
nonReentrantmodifier.
Audited automatically by Automated Smart Contract Auditor Pro
┌─────────────────────────────────────────────────────────────────┐
│ GitHub Pull Request Trigger │
└─────────────┬───────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────┐ ┌─────────────────────────────┐
│ Language Detection │ │ Paywall Verification │
│ ├── Solidity (.sol) │ │ ├── Web3 Metered Check │
│ ├── Rust/Anchor (.rs) │ │ └── Enterprise Key Check │
│ └── Foundry (foundry.toml)│ └─────────────────────────────┘
└─────────────┬───────────────┘
│
┌─────────┼──────────┐
▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐
│Slither │ │Foundry │ │Solana │
│ AST │ │ Fuzz │ │ Rust │
│Analysis│ │Testing │ │Scanner │
└───┬────┘ └───┬────┘ └───┬────┘
│ │ │
└──────────┼──────────┘
▼
┌─────────────────────┐
│ AI Validator (PRO) │
│ ├── False-Positive │
│ │ Suppression │
│ └── Gas Optimizer │
└──────────┬──────────┘
▼
┌─────────────────────┐
│ GitHub PR Bot │
│ Inline Comments │
└─────────────────────┘
| Category | Vulnerabilities Detected |
|---|---|
| Reentrancy | Cross-function, cross-contract, read-only reentrancy |
| Access Control | Missing onlyOwner, unprotected selfdestruct, open delegatecall |
| Flash Loans | Unchecked flash loan callbacks, price oracle manipulation |
| MEV | Front-running, sandwich attack vectors |
| Gas | Uncached array lengths, post-increment, sub-word memory |
| Solana | Missing signer checks, CPI vulnerabilities, cargo audit |
The basic structural analysis is 100% free forever. PRO unlocks AI Validation & Gas Optimization through our Web3 Metered Treasury.
|
Pay-Per-Scan / Superfluid Streams
|
For teams & corporate finance
Includes: invoicing, auto-renewal, SLA |
| Feature | This Tool | Slither (Standalone) | MythX | Certora |
|---|---|---|---|---|
| GitHub Action | ✅ | ❌ Manual | ✅ | ❌ |
| AI False-Positive Suppression | ✅ | ❌ | ❌ | ❌ |
| Gas Optimization | ✅ | ❌ | ❌ | ❌ |
| Solana/Rust Support | ✅ | ❌ | ❌ | ❌ |
| Fuzz Testing (Foundry) | ✅ | ❌ | ❌ | ✅ |
| Inline PR Comments | ✅ | ❌ | ✅ | ❌ |
| Web3 Native Billing | ✅ | N/A | ❌ | ❌ |
| Price | Free + $50 | Free | $299/mo | Enterprise |
Q: How does the EVM Gas Optimization work?
The Action parses the Solidity Abstract Syntax Tree (AST) to detect non-optimized loop structures (e.g. missing array length caching), improper state variable packing (e.g. uint8 vs uint256 masking costs), and outputs a PR comment detailing exact gas savings per line.
Q: Slither Static Analysis vs. AI Smart Contract Auditors — what's the difference?
Slither is excellent for deterministic dataflow analysis but produces high false-positive rates (~60%). Our AI Validator ingests Slither's output and uses RAG against an exploit database to suppress false positives and find complex logic flaws that static tools miss, achieving 99% accuracy.
Q: Does this replace a professional audit?
No. This tool is designed as a first line of defense in your CI/CD pipeline. It catches the low-hanging fruit (reentrancy, access control, gas waste) instantly, so your expensive human auditors can focus on complex business logic.
Q: How does the Solana/Rust scanner work?
When the scanner detects an Anchor.toml or Cargo.toml, it automatically routes to the Rust scanning engine. It runs cargo audit for dependency vulnerabilities and performs heuristic analysis for missing signer checks, CPI vulnerabilities, and PDA validation issues.
We believe in securing the Web3 ecosystem together. Please see our Contributing Guidelines and Security Policy.
This project is licensed under the MIT License - see the LICENSE file for details.
Built with ❤️ for the Web3 Security Community
If this tool saves you from a smart contract exploit, consider starring ⭐ the repo!