solidity-sentinel
Enables static security audit of Solidity smart contracts by analyzing source code or deployed bytecode for vulnerabilities, providing risk scores and detailed findings.
README
solidity-sentinel π‘οΈ
Static security audit for Solidity smart contracts β for AI agents and developers.
solidity-sentinel is an MCP server and a pay-per-call x402 HTTP API. Paste a contract's source (or the raw deployed bytecode of an unverified contract) and get a CRITICAL / HIGH-RISK / REVIEW / LOW-RISK / CLEAN verdict with a 0β100 risk score and, in the deep tier, a full finding list β each with its exact line, the sourceβsink dataflow, a code-evidence snippet, the SWC + CWE id, a confidence score, an exploit explanation, and a concrete fix.
β οΈ Heuristic static screen, not a formal audit. It pattern-matches source structure and dataflow; it cannot prove a contract safe and can miss novel bugs. Absence of a finding is not a guarantee. Always pair with tests, fuzzing and a manual review before risking funds.
Why it exists (the moat)
An AI agent asked to "check this contract for bugs" makes one pass and produces a few regex-grade observations. A real review is the accumulated depth of an auditor working through the whole surface. solidity-sentinel encodes that depth:
- A flow-sensitive taint/dataflow engine (CFG-based). It tracks attacker-controlled values (function params,
msg.sender, external-call returns) into dangerous sinks (delegatecall/call targets,selfdestruct, transfer amounts, array indices,sstoreslots). It does not walk statements linearly β it builds a control-flow graph and runs a forward dataflow with a JOIN at branch confluences (a value tainted on any path is tainted after the merge), loop fixpoints (taint a loop body creates reaches code after the loop), and revert/early-return guards (if (msg.sender != owner) revert();makes the fall-through path trusted). A guard on one branch does not sanitise the merge. This catchesif (g) { t = userInput; } else { t = safe; } β¦ t.delegatecall(d)and stays silent on owner-guarded / immutable-target code β killing both false negatives and false positives. - Multi-level interprocedural + cross-contract. Taint follows internal call chains several hops deep (
entry β mid β inner β sink) and across contracts in the same project (router.run(tainted)into another contract's delegatecall), recording the full call/contract chain in the evidence. - High-value DeFi families where the money is: flash-loan-manipulable accounting, ERC-4626 first-depositor / share inflation, read-only reentrancy (stale view price during a transfer), callback-based reentrancy (ERC-777/1363 + flash-loan callbacks), MEV / sandwich exposure (no slippage bound), TWAP-window manipulation, unsafe liquidation, governance/timelock bypass, EIP-2612 permit replay, spot-price oracles.
- Deployed-bytecode screening for unverified contracts (no source): it disassembles runtime bytecode and flags
DELEGATECALL/SELFDESTRUCTcapabilities and calldata-controlled delegatecall takeover at the EVM level β ground truth a misleading source comment can't hide. - The classics, done right: a tokenizer that isn't fooled by strings/comments, a parser that knows each function's visibility/mutability/modifiers, CEI ordering dataflow, interprocedural reentrancy, and version-aware arithmetic.
The engine ships with 227 automated tests, including a 153-case calibration corpus modelled on real incidents (TheDAO, Parity, bZx, Cream, Euler, Beanstalk, Nomad, Lendf.me, Wormhole, Ronin, Multichain, Mango, Rari, Visor, Qubit, BadgerDAO, KyberSwap, Sentiment, Penpie, Sushi RouteProcessorβ¦) and audited-clean contracts. Measured on that corpus: 100% recall, 0 false positives β every must-flag fires, and safe CEI code, guarded reentrancy, immutable-target / beacon-proxy delegatecall, revert-guarded sinks, bounded indices, complete EIP-712 permits, slippage-bounded swaps, windowed TWAPs and .call text inside comments/strings are not flagged. A coverage drift-guard test asserts every detector id the engine fires is documented in the SWC/severity/confidence map β the docs can't silently fall out of sync with the code.
What it analyses (taint engine + 12 detector families)
| Family | Examples it catches |
|---|---|
| π Dataflow / taint (flow-sensitive) | attacker-controlled value β delegatecall/call target, selfdestruct beneficiary, transfer amount, array index, sstore slot β CFG-based with branch JOINs, loop fixpoints, revert-guards, multi-level interprocedural and cross-contract propagation, with guard/sanitiser suppression |
| π Reentrancy | classic ETH reentrancy (CEI violated), cross-function reentrancy on shared state, read-only reentrancy (stale view price), callback-based (ERC-777/1363 + flash-loan callbacks), ERC-777/721/1155 receiver-hook reentrancy (no raw .call needed), guard-aware suppression |
| π Access control | unprotected selfdestruct, unprotected/attacker-targeted delegatecall (immutable/beacon-target aware), privileged mutators (mint/withdraw/upgrade/setFeeβ¦) and infinite-mint / arbitrary-credit shapes with no onlyOwner/role check, unprotected initializer (proxy takeover) |
| π¦ DeFi families | flash-loan-manipulable accounting, ERC-4626 first-depositor inflation, MEV / sandwich (no slippage bound), TWAP-window manipulation, unsafe liquidation (no health check), governance without timelock, EIP-2612 permit missing deadline/nonce |
| β Arithmetic | pre-0.8 overflow/underflow without SafeMath, unchecked{} blocks, division-before-multiply precision loss, unsafe downcasts, strict balance equality |
| βοΈ Low-level calls | tx.origin auth (phishable), unchecked call/send return, .send() 2300-gas trap, arbitrary external call with caller-controlled target |
| π² Randomness | weak randomness from block.timestamp/prevrandao/blockhash, timestamp-dependent logic |
| π Oracle | spot-price (getReserves/balanceOf) used as a price feed (flash-loan manipulable), Chainlink usage without staleness checks, deprecated latestAnswer() |
| βοΈ Signatures | ecrecover without address(0) check, signature replay (no nonce / no chainId), malleability, abi.encodePacked hash collision |
| β¬οΈ Proxy / upgradeability | constructor-init in upgradeable contracts, UUPS without _authorizeUpgrade, risky inline assembly |
| π§± DoS | unbounded loops, push-payment loops a single revert can brick, O(n) array shifting |
| β ERC-compliance & gas | approve race, raw ERC-20 transfer (no SafeERC20), missing zero-address checks, floating/outdated pragma, publicβexternal gas, deprecated constructs |
| 𧬠Deployed bytecode | disassembles runtime bytecode of unverified contracts; flags DELEGATECALL/SELFDESTRUCT and calldata-controlled delegatecall takeover |
Each finding is mapped to its SWC and CWE id. SWC coverage (documented in detectors/coverage.ts and asserted in sync by coverage.test.ts): SWC-100, 101, 102, 103, 104, 105, 106, 107, 112, 114, 115, 116, 117, 118, 120, 121, 128, 132, 133 β plus the DeFi/dataflow families that have no SWC number (oracle manipulation, flash-loan accounting, ERC-4626 inflation, read-only reentrancy, MEV/sandwich, TWAP-window, governance timelock). Severity and confidence are calibrated per detector and further adjusted at runtime by path guards, interprocedural depth and cross-contract distance.
Tiers
| Free | Deep (paid) | |
|---|---|---|
| Detectors | 4 high-signal | flow-sensitive taint engine + all 16 families + bytecode mode |
| Output | verdict + risk score + finding counts + top issue titles | every finding: line, the sourceβsink flow, evidence, SWC/CWE, confidence, exploit reasoning, fix, + per-contract surface inventory |
| Runs | locally in the installed package | server-side, behind payment |
| Cost | free (rate-limited) | $0.05 USDC per call via x402, or a prepaid API key (card) |
The deep engine never runs in the locally-installed package β deep=true is forwarded to the hosted /pro/run endpoint, gated by x402 or a prepaid key. The premium engine (the taint/dataflow CFG, the DeFi families, the full detector suite, the calibration corpus) is not shipped in the npm package at all: the files allowlist publishes only the free client, and the deep path is a lazy import() of modules that exist solely on the server. npm pack contains zero premium source β the moat cannot be extracted from the installed package.
Use as an MCP server
{
"mcpServers": {
"solidity-sentinel": {
"command": "npx",
"args": ["-y", "solidity-sentinel-mcp"],
// optional β unlocks the deep audit with a prepaid key:
"env": { "SENTINEL_KEY": "<your-key>" }
}
}
}
Tool: audit_contract β { source: string, deep?: boolean }.
deepomitted/false β free verdict (runs locally).deep: truewith aSENTINEL_KEYβ full deep audit (server-side).deep: truewithout a key β you still get the free verdict plus how to unlock the deep tier.
Use as an HTTP API
# Free verdict
curl -s -X POST https://solidity-sentinel.vercel.app/run \
-H 'content-type: application/json' \
-d '{"source":"pragma solidity ^0.8.0; contract C { ... }"}'
# Deep audit β pay per call with x402 (USDC on Base), or a prepaid key:
curl -s -X POST https://solidity-sentinel.vercel.app/pro/run \
-H 'authorization: Bearer <your-key>' \
-H 'content-type: application/json' \
-d '{"source":"..."}'
A request to /pro/run without payment returns 402 with both payment lanes (x402 challenge + a Stripe checkout link). Buy a prepaid card key at /pro/checkout.
Develop
npm install
npm run build # tsc + sync landing
npm test # 227 tests: engine + 153-case CVE/hack calibration corpus + taint/CFG/bytecode units + coverage drift-guard
npm run dev:http # local server (FORCE_LISTEN); /run, /pro/run, /mcp
License
MIT β see LICENSE.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.