I've spent months building an autonomous Web3 security system — it watches fresh protocols, pre-scans them, and re-audits client contracts on every change. I open-sourced its scanning core. MIT, needs only Python 3.9+ and git, zero API keys.
What it does
Point it at a repo, get a professional report (Markdown + HTML) in seconds:
python scan.py https://github.com/org/protocol --out ./report
Or run it in CI on every PR with a GitHub Action:
- uses: juan23z/openclaw-audit@v1
with:
path: contracts
It ships 12 heuristic detectors aimed at the bugs that actually drain vaults:
- ERC-4626 rounding & first-depositor inflation
- Donation /
totalAssetsmanipulation - Oracle staleness (Chainlink
latestRoundData) - Cross-function & read-only reentrancy
- Access control on privileged functions
-
tx.originauth, unchecked low-level calls - ERC-20 / ERC-4626 compliance
- NatSpec-vs-code mismatches
The hard part: not crying wolf
Heuristic scanners have a reputation problem — they flag everything, so people stop trusting them. Reputation IS the product, so I obsessed over precision.
The bar I set: 0 false positives across the entire OpenZeppelin library. It's verifiable — clone OZ, run the scanner, get zero findings. Getting there meant fixing real bugs in my own detectors, e.g.:
- A cast like
uint48(bytes32(x).extract(...))was being read as an interface call (a case-insensitive regex matchedint48(...)as if it wereIFoo(...)). - The reentrancy detector didn't recognize Uniswap V2's classic
lock/unlockedguard, so it flaggedswap/burn— 13 findings on V2 dropped to 1, and that 1 is a genuine CEI-order candidate oncreatePair. - The ERC-compliance check flagged every token that inherits its implementation from a parent as "missing
transfer()" — the most common real-world pattern.
Result across libraries: OpenZeppelin 0, forge-std 0, solady low single digits, Uniswap V2 down to 1 defensible candidate.
It's honest about being heuristic
Everything it reports is a candidate — verify before acting. It's a fast first pass and a CI safety net, not a replacement for a real audit. The report says so explicitly.
Try it
Repo → https://github.com/juan23z/openclaw-audit
I'd genuinely love feedback — which detectors you'd want, false positives you hit, edge cases I'm missing.
(Disclosure: I also do human-verified audits + continuous monitoring as a paid service for small/new DeFi teams, but the scanner is free and standalone — use it however you like.)
Top comments (0)