<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: juan23z</title>
    <description>The latest articles on DEV Community by juan23z (@juan23z).</description>
    <link>https://dev.to/juan23z</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4027375%2F72cf98e1-b4d8-45de-b230-a1ec981099ac.png</url>
      <title>DEV Community: juan23z</title>
      <link>https://dev.to/juan23z</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/juan23z"/>
    <language>en</language>
    <item>
      <title>I open-sourced a Solidity security scanner with 0 false positives on all of OpenZeppelin</title>
      <dc:creator>juan23z</dc:creator>
      <pubDate>Mon, 13 Jul 2026 14:37:17 +0000</pubDate>
      <link>https://dev.to/juan23z/i-open-sourced-a-solidity-security-scanner-with-0-false-positives-on-all-of-openzeppelin-3o2h</link>
      <guid>https://dev.to/juan23z/i-open-sourced-a-solidity-security-scanner-with-0-false-positives-on-all-of-openzeppelin-3o2h</guid>
      <description>&lt;p&gt;I've spent months building an autonomous Web3 security system — it watches fresh protocols, pre-scans them, and re-audits client contracts on every change. I open-sourced its scanning core. MIT, needs only Python 3.9+ and git, zero API keys.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it does
&lt;/h2&gt;

&lt;p&gt;Point it at a repo, get a professional report (Markdown + HTML) in seconds:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;python scan.py https://github.com/org/protocol &lt;span class="nt"&gt;--out&lt;/span&gt; ./report
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Or run it in CI on every PR with a GitHub Action:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;juan23z/openclaw-audit@v1&lt;/span&gt;
  &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;path&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;contracts&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It ships &lt;strong&gt;12 heuristic detectors&lt;/strong&gt; aimed at the bugs that actually drain vaults:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;ERC-4626 rounding &amp;amp; first-depositor inflation&lt;/li&gt;
&lt;li&gt;Donation / &lt;code&gt;totalAssets&lt;/code&gt; manipulation&lt;/li&gt;
&lt;li&gt;Oracle staleness (Chainlink &lt;code&gt;latestRoundData&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Cross-function &amp;amp; read-only reentrancy&lt;/li&gt;
&lt;li&gt;Access control on privileged functions&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;tx.origin&lt;/code&gt; auth, unchecked low-level calls&lt;/li&gt;
&lt;li&gt;ERC-20 / ERC-4626 compliance&lt;/li&gt;
&lt;li&gt;NatSpec-vs-code mismatches&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The hard part: not crying wolf
&lt;/h2&gt;

&lt;p&gt;Heuristic scanners have a reputation problem — they flag everything, so people stop trusting them. Reputation IS the product, so I obsessed over precision.&lt;/p&gt;

&lt;p&gt;The bar I set: &lt;strong&gt;0 false positives across the entire OpenZeppelin library.&lt;/strong&gt; It's verifiable — clone OZ, run the scanner, get zero findings. Getting there meant fixing real bugs in my own detectors, e.g.:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A cast like &lt;code&gt;uint48(bytes32(x).extract(...))&lt;/code&gt; was being read as an interface call (a case-insensitive regex matched &lt;code&gt;int48(...)&lt;/code&gt; as if it were &lt;code&gt;IFoo(...)&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;The reentrancy detector didn't recognize Uniswap V2's classic &lt;code&gt;lock&lt;/code&gt;/&lt;code&gt;unlocked&lt;/code&gt; guard, so it flagged &lt;code&gt;swap&lt;/code&gt;/&lt;code&gt;burn&lt;/code&gt; — 13 findings on V2 dropped to 1, and that 1 is a genuine CEI-order candidate on &lt;code&gt;createPair&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;The ERC-compliance check flagged every token that inherits its implementation from a parent as "missing &lt;code&gt;transfer()&lt;/code&gt;" — the most common real-world pattern.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Result across libraries: OpenZeppelin &lt;strong&gt;0&lt;/strong&gt;, forge-std &lt;strong&gt;0&lt;/strong&gt;, solady low single digits, Uniswap V2 down to &lt;strong&gt;1&lt;/strong&gt; defensible candidate.&lt;/p&gt;

&lt;h2&gt;
  
  
  It's honest about being heuristic
&lt;/h2&gt;

&lt;p&gt;Everything it reports is a &lt;strong&gt;candidate — verify before acting&lt;/strong&gt;. It's a fast first pass and a CI safety net, not a replacement for a real audit. The report says so explicitly.&lt;/p&gt;

&lt;h2&gt;
  
  
  Try it
&lt;/h2&gt;

&lt;p&gt;Repo → &lt;strong&gt;&lt;a href="https://github.com/juan23z/openclaw-audit" rel="noopener noreferrer"&gt;https://github.com/juan23z/openclaw-audit&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;I'd genuinely love feedback — which detectors you'd want, false positives you hit, edge cases I'm missing.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;(Disclosure: I also do human-verified audits + continuous monitoring as a paid service for small/new DeFi teams, but the scanner is free and standalone — use it however you like.)&lt;/em&gt;&lt;/p&gt;

</description>
      <category>solidity</category>
      <category>ethereum</category>
      <category>security</category>
      <category>opensource</category>
    </item>
  </channel>
</rss>
