Vulnerability Database

Our scanner currently detects the following common smart contract vulnerabilities using an AST-first analysis pass with regex fallback.

Reentrancy Pattern

High Severity

A value-transferring external call appears before a later state mutation in the same function, which is a common reentrancy risk pattern.

Apply Checks-Effects-Interactions by moving state updates before the external call, or protect the function with a reentrancy guard.

High Severity

Using tx.origin for authorization is insecure because malicious contracts can trick users into forwarding calls.

Use msg.sender instead of tx.origin for authorization checks.

Medium Severity

A low-level call executes without an obvious success check.

Capture the boolean return value and handle failures explicitly.

Low Severity

Version ranges can compile under a different compiler than the one originally reviewed.

Pin Solidity to an exact compiler version such as pragma solidity 0.8.24;.

Medium Severity

Block properties are predictable or miner-influenced and should not be used as entropy sources.

Use a verifiable randomness source such as Chainlink VRF.

High Severity

delegatecall executes code in the caller context and can corrupt storage or break trust boundaries.

Avoid delegatecall to untrusted targets and tightly constrain upgrade or proxy execution paths.

High Severity

selfdestruct can permanently change contract behavior and is dangerous in most production systems.

Remove selfdestruct or gate it behind strong governance and a carefully reviewed shutdown flow.