DEV Community

Cover image for I open-sourced a Solidity security scanner with 0 false positives on all of OpenZeppelin
juan23z
juan23z

Posted on

I open-sourced a Solidity security scanner with 0 false positives on all of OpenZeppelin

I've spent months building an autonomous Web3 security system — it watches fresh protocols, pre-scans them, and re-audits client contracts on every change. I open-sourced its scanning core. MIT, needs only Python 3.9+ and git, zero API keys.

What it does

Point it at a repo, get a professional report (Markdown + HTML) in seconds:

python scan.py https://github.com/org/protocol --out ./report
Enter fullscreen mode Exit fullscreen mode

Or run it in CI on every PR with a GitHub Action:

- uses: juan23z/openclaw-audit@v1
  with:
    path: contracts
Enter fullscreen mode Exit fullscreen mode

It ships 12 heuristic detectors aimed at the bugs that actually drain vaults:

  • ERC-4626 rounding & first-depositor inflation
  • Donation / totalAssets manipulation
  • Oracle staleness (Chainlink latestRoundData)
  • Cross-function & read-only reentrancy
  • Access control on privileged functions
  • tx.origin auth, unchecked low-level calls
  • ERC-20 / ERC-4626 compliance
  • NatSpec-vs-code mismatches

The hard part: not crying wolf

Heuristic scanners have a reputation problem — they flag everything, so people stop trusting them. Reputation IS the product, so I obsessed over precision.

The bar I set: 0 false positives across the entire OpenZeppelin library. It's verifiable — clone OZ, run the scanner, get zero findings. Getting there meant fixing real bugs in my own detectors, e.g.:

  • A cast like uint48(bytes32(x).extract(...)) was being read as an interface call (a case-insensitive regex matched int48(...) as if it were IFoo(...)).
  • The reentrancy detector didn't recognize Uniswap V2's classic lock/unlocked guard, so it flagged swap/burn — 13 findings on V2 dropped to 1, and that 1 is a genuine CEI-order candidate on createPair.
  • The ERC-compliance check flagged every token that inherits its implementation from a parent as "missing transfer()" — the most common real-world pattern.

Result across libraries: OpenZeppelin 0, forge-std 0, solady low single digits, Uniswap V2 down to 1 defensible candidate.

It's honest about being heuristic

Everything it reports is a candidate — verify before acting. It's a fast first pass and a CI safety net, not a replacement for a real audit. The report says so explicitly.

Try it

Repo → https://github.com/juan23z/openclaw-audit

I'd genuinely love feedback — which detectors you'd want, false positives you hit, edge cases I'm missing.

(Disclosure: I also do human-verified audits + continuous monitoring as a paid service for small/new DeFi teams, but the scanner is free and standalone — use it however you like.)

Top comments (0)