ChainScout — Automated Smart Contract Security Scanner
ChainScout is an open-source platform for automated security analysis of Web3 projects.Ethereum smart contracts , Solana programs , and dApp/Web3 applications with AI-powered reporting.
Smart Contract Analysis — Paste a contract address, get a full security reportSolana Program Scanning — Analyze on-chain programs for upgradeability risksDApp / Web3 Surface Analysis — Detect wallet SDKs, signature prompts, chain gatingAI-Powered Reports — Detailed audit reports via OpenRouter (Claude GPT-4o-mini)Slither Integration — AST-based deep analysis for Solidity contractsRisk Scoring — 0–100 weighted vulnerability scoring
Vulnerability Detection (7 Categories)
#
Category
Severity
Description
1
Reentrancy Attacks HIGH
External calls modifying state (CEI violations)
2
Integer Overflow/Underflow MEDIUM
Arithmetic without SafeMath/Solidity 0.8+
3
tx.origin Misuse HIGH
Phishing-vulnerable authorization
4
Unchecked Calls HIGH
Low-level calls without return validation
5
Delegatecall Misuse CRITICAL
Code injection via delegatecall
6
Access Control Issues CRITICAL
Missing permission checks
7
Timestamp Dependence LOW
Miner-manipulatable timestamps
Feature
ChainScout
Slither
Mythril
Certora
Browser-based ✅ No CLI needed
❌ CLI only
❌ CLI only
❌ CLI only
AI-Powered Reports ✅ OpenRouter (Claude/GPT)
❌
❌
❌
Solana Support ✅ On-chain analysis
❌
❌
❌
DApp Surface Analysis ✅ Wallet SDK detection
❌
❌
❌
Risk Scoring ✅ 0–100 weighted
❌
❌
❌
Open Source ✅ MIT
✅ AGPL
✅ MIT
❌ Proprietary
Setup Time 2 min (Docker)
10 min
15 min
Days
Quick Start (Docker Compose) git clone https://github.com/BarmaleiDB-infosec/ChainScout.git
cd ChainScout
cp .env.example .env
# Edit .env with your keys curl http://localhost/health
# → {"status":"ok","service":"chainscout-api"} Open http://localhost
┌─────────────────┐
│ React App │ Port 5173 (dev) / 80 (prod via Nginx)
│ (Vite + TS) │
└────────┬────────┘
│
┌────▼────┐
│ Nginx │ Reverse Proxy, Rate Limiting, Security Headers
│ :80/443 │
└────┬────┘
│
┌────▼─────────┐
│ Node.js API │ Express, JWT Auth, Scan Orchestration
│ :4000 │
└────┬─────────┘
│
┌────┴──────────────────────┐
│ │
┌───▼──────┐ ┌────────▼────────┐
│ Supabase │ │ Security Engine │
│ Auth + DB│ │ • 7 Detectors │
│ RLS │ │ • Slither (AST) │
└──────────┘ │ • Infura (RPC) │
│ • Solana Client │
│ • OpenRouter AI │
└─────────────────┘
Method
Endpoint
Description
POST
/api/auth/registerCreate account
POST
/api/auth/loginLogin, returns JWT
Method
Endpoint
Description
POST
/api/scansStart new scan
GET
/api/scans/:idGet scan status/results
GET
/api/scans/recentList recent scans
POST
/api/solana/scanScan Solana program
Method
Endpoint
Description
GET
/healthService status
Feature
Implementation
Row-Level Security Supabase RLS policies
JWT Authentication Bearer tokens on all endpoints
Rate Limiting Nginx-level (10 req/min auth, 1 req/min scan)
CORS Whitelisted origins only
SSRF Protection Private IP ranges blocked
Input Validation Address format, file type checks
Security Headers CSP, HSTS, X-Frame-Options, X-Content-Type-Options
Layer
Technology
Frontend
React 18, TypeScript, Vite, TailwindCSS, shadcn/ui
Backend
Node.js, Express
Database
PostgreSQL (Supabase)
Auth
Supabase Auth + JWT
AI
OpenRouter (Claude / GPT-4o-mini)
Analysis
Slither, Custom Heuristics, Etherscan V2 API, Infura RPC, Solana RPC
Infra
Docker, Nginx, GitHub Actions
Variable
Required
Description
SUPABASE_URLYes
Supabase project URL
SUPABASE_SERVICE_KEYYes
Supabase service role key
VITE_SUPABASE_PUBLISHABLE_KEYYes
Supabase anon key
ETHERSCAN_API_KEYYes
Etherscan API key
OPENROUTER_API_KEYNo
OpenRouter API key (for AI reports)
INFURA_API_KEYNo
Infura RPC key
Production checklist:
ChainScout is an automated analysis tool and should NOT replace professional security audits. Automated scanning can miss complex vulnerabilities. Always:
Have critical contracts audited by professional firms
Test thoroughly on testnet before mainnet deployment
Review generated reports with security expertise
MIT License
Built by the ChainScout Team | MVP Ready — May 2026
