hexray

X-ray vision for EVM transactions. Know what you're signing before you sign it.

Built at ETHGlobal Cannes 2026.

---

Every day, people sign Ethereum transactions they don't understand. The calldata looks like this:

0x791ac94700000000000000000000000000000000000000000000000000160febf427c2c0
00000000000000000000000000000000000000000000000000cb752ad12b5f6000000000
000000000000000000000000000000000000000000000000000000a0000000000000000000
000000a36e9d7cf6c7b513d46c7243125952888f415eb400000000000000000000000000
0000000000000000000000000000000069d0e86c...

Even Etherscan's decoder gives you raw uint256 values and bare hex addresses. You're expected to know that 6209955575612096 actually means 0.00621 SHIB and that 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 is WETH.

hexray turns that wall of hex into this:

Swap 0.00621 SHIB -> WETH via Uniswap V2 Router, minimum output 0.0573 ETH, deadline 2026-04-02T12:31:08Z

SAFE TO SIGN - Uniswap V2 Router is a verified contract (4+ years old, high transaction volume)

How it works

hexray is a CLI tool + Claude Code AI skill that operates as your whitehat buddy - analyzing transactions before you sign them.

                 ┌─────────────┐
  raw calldata   │   DECODE    │  4-tier strategy:
  ─────────────> │             │  ABI > selector > bytecode heuristic > raw
                 └──────┬──────┘
                        │
                 ┌──────▼──────┐
                 │   ENRICH    │  resolve addresses, format token amounts,
                 │             │  map swap paths, convert timestamps
                 └──────┬──────┘
                        │
                 ┌──────▼──────┐
                 │   SAFETY    │  11 safety checks: verification, age,
                 │   CHECKS    │  proxy detection, approvals, slippage...
                 └──────┬──────┘
                        │
                 ┌──────▼──────┐
                 │  WHITEHAT   │  Claude interprets everything and gives
                 │    BUDDY    │  a plain English verdict
                 └─────────────┘

The four decoding tiers

Not all contracts are verified. hexray doesn't give up - it tries progressively harder:

Tier	Method	When it kicks in
1	ABI from Etherscan	Contract is verified (covers ~70% of interesting txns)
2	4byte.directory selector lookup	Unverified, but the function signature is known
3	WhatsABI bytecode analysis	Unverified, unknown signature - extract ABI from bytecode via JUMPI analysis, proxy resolution (ERC-1967, ERC-1167, Diamond)
4	Raw fallback	Nothing worked - hand the hex to Claude with the selector

What gets enriched

Raw decoded params are just the beginning. hexray resolves every parameter:

• Addresses - Is it a contract or EOA? Verified? What's its name? Is it a token? What token?
• Amounts - Fetches decimals() from the token contract and formats: 6209955575612096 -> 0.00621 SHIB
• Swap paths - [0x63D5..., 0xC02a...] -> SHIB -> WETH
• Deadlines - 1775298668 -> 2026-04-02T12:31:08.000Z
• ETH value - From the transaction's value field (not in calldata, but critical for understanding the full picture)

The 11 safety checks

hexray doesn't just decode - it thinks about what the transaction means:

Contract-level:

1. Verification status on Etherscan
2. Contract age (brand new = red flag)
3. Known address labels (Uniswap, WETH, etc.)
4. Proxy detection (ERC-1967 + Etherscan) with implementation verification
5. Recent transaction activity

Transaction-level:

6. Unlimited token approvals (type(uint256).max)
7. Approval spender analysis (known protocol vs unknown contract vs EOA)
8. Recipient analysis for transfers
9. Slippage tolerance (amountOutMin = 0 means sandwich attack bait)
10. Deadline validation (expired? dangerously long?)
11. ETH value mismatch (sending ETH to a function that doesn't expect it)

Quick start

bun install

# Analyze calldata before signing
bun run src/index.ts \
  --calldata 0x791ac947000000000000000000000000000000000000000000000000... \
  --to 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D \
  --etherscan-key YOUR_KEY

# Or pass a raw unsigned transaction
bun run src/index.ts 0x02f8... --etherscan-key YOUR_KEY

As a Claude Code skill

The real magic: use hexray as an AI-powered slash command.

/project:hexray --calldata 0x791ac947... --to 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D --etherscan-key YOUR_KEY

Claude acts as a whitehat analyst - decoding the transaction, explaining it in plain English, and giving a clear verdict: SAFE TO SIGN, CAUTION, or DO NOT SIGN.

Why not just simulate?

Transaction simulation (Tenderly, Blowfish, etc.) is powerful but:

• Requires submitting the transaction to a simulation environment
• Costs money per simulation
• Misses context - a simulation tells you what happens, not whether you should do it
• Can be gamed - malicious contracts can detect simulation environments

hexray takes a different approach: static analysis + on-chain enrichment + AI reasoning. It's cheaper, faster, and catches things simulations miss (like "this is an unlimited approval to a 3-hour-old unverified contract").

Tech stack

• Bun - TypeScript runtime (native TS, fast, built-in test runner)
• viem - EVM interactions, ABI decoding, type-safe contract reads
• @shazow/whatsabi - ABI extraction from unverified bytecode
• Etherscan API - Contract verification, source code, labels, creation info
• 4byte.directory - Function signature database
• Claude Code - AI-powered analysis and presentation

Architecture

src/
├── index.ts      CLI entry point, arg parsing, pipeline orchestration
├── types.ts      TypeScript interfaces for the entire pipeline
├── fetcher.ts    API clients (Etherscan, RPC, 4byte) + known address map
├── decoder.ts    Four-tier calldata decoding engine
├── enricher.ts   Parameter enrichment (tokens, amounts, addresses, paths)
└── safety.ts     11-check safety assessment engine

.claude/commands/
└── hexray.md     Claude Code whitehat analyst skill

tests/
├── decoder.test.ts
├── enricher.test.ts
└── safety.test.ts

License

MPL-2.0