A complete Web3 security toolkit combining AI-powered token auditing, ML-based deployer reputation scoring, and live Etherscan V2 data. Includes static analysis for rugpull detection, RandomForest reputation modeling, contract-fetching automation, and Solidity on-chain registries for transparent, reproducible security insights.
On-Chain Security Suite
AI-Powered Token Auditor โข ML Deployer Reputation Engine โข Etherscan V2 Integration โข Solidity Registries
The On-Chain Security Suite is a complete, end-to-end Web3 security pipeline. It combines:
- Static analysis of token contracts (rugpull pattern detection)
- Machine learningโbased reputation scoring for deployer addresses
- Etherscan V2 integration for fetching real on-chain data
- Solidity registries to store token audits and deployer scores on-chain
- A portfolio-quality security research project
- A practical toolkit for analysts and developers
- A template for building more advanced Web3 security systems
Table of Contents
- Motivation & Problem Statement
- High-Level Overview
- Core Components
- Architecture
- Folder Structure
- Installation & Setup
- Token Risk Auditor (Static Analyzer)
- CLI Tools & Workflows
- End-to-End Example Flow
- Assumptions & Limitations
- Ideas for Extension
- Roadmap
- License
Motivation & Problem Statement
The token ecosystem on Ethereum and EVM-compatible chains is:
- Fast-moving
- Permissionless
- Filled with both innovation and scams
- Rugpulls, the owner drains liquidity or mints massive supply
- Honeypots, you can buy but not sell
- Blacklist-based traps, certain addresses are silently blocked
- Tax manipulation, โfairโ token suddenly applies massive fees
- Bad actors, deployers who keep launching scams
- Read Solidity source code
- Detect patterns associated with malicious behavior
- Aggregate deployer history
- Use ML to estimate how risky a deployer is
- Integrate with real on-chain data (Etherscan)
- Optionally store results on-chain for transparency
High-Level Overview
The project has three main layers:
- Token-Level Analysis
- Deployer-Level Reputation
- Integration & Transparency Layer
This makes it possible to:
- Analyze local contracts
- Analyze real world deployers
- Train and use real ML models
- (If desired) publish security results on-chain.
Core Components
src/token_auditor
src/reputation
src/etherscan_integration
src/ml
contracts/
data/
artifacts/
deployer_model.joblib).
Architecture
The On-Chain Security Suite consists of three major layers:
- Token-Level Analysis
- Deployer-Level ML Reputation Scoring
- Blockchain Integration (Etherscan V2 + Solidity Registries)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ Solidity Token Contract โ โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโ โ โผ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ Static Token Auditor โ โ - Regex feature extraction โ โ - Risk scoring ruleset โ โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโ โ Token risk label โโโโโ โ โผ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ Deployer History (Local or Etherscan) โ โ - List of deployed contract addresses โ โ - Token risk scores/labels per contract โ โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โผ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ Deployer Feature Aggregator โ โ - n_safe โ โ - n_suspicious โ โ - n_rugpull โ โ - fracsafe / fracrugpull โ โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโ โ โผ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ ML Deployer Reputation โ โ (RandomForest Model) โ โ - P(bad deployer) โ โ - Trust Score (0โ100) โ โ - Risk Class โ โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโ โ โผ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ Final Reputation Results โ โ { score, risk_class, label, features } โ โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โผ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ Optional On-Chain Registries (Solidity) โ โ โ โ TokenAuditRegistry.sol DeployerReputationRegistry.sol โ โ - Report token risk - Store deployer trust score โ โ - Store details JSON - Expose transparent on-chain data โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โฒ โ โโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโ โ Etherscan V2 Integration โ โ - Fetch deployer tx list โ โ - Fetch contract source code โ โ - Auto-classify tokens โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
And Etherscan V2 is used to auto-generate the โDeployer History (JSON)โ layer by discovering and classifying real contracts.
Folder Structure
onchain-security-suite/
โ
โโโ contracts/
โ โโโ TokenAuditRegistry.sol
โ โโโ DeployerReputationRegistry.sol
โ
โโโ data/
โ โโโ tokens/
โ โ โโโ safetoken1.sol
โ โ โโโ rugpulltoken1.sol
โ โ โโโ suspicioustoken1.sol
โ โโโ deployers_example.json
โ
โโโ src/
โ โโโ token_auditor/
โ โ โโโ features.py
โ โ โโโ model.py
โ โ โโโ classify.py
โ โ
โ โโโ reputation/
โ โ โโโ features.py
โ โ โโโ model.py
โ โ โโโ classify.py
โ โ
โ โโโ etherscan_integration/
โ โ โโโ fetcher.py
โ โ โโโ build_history.py
โ โ
โ โโโ ml/
โ โ โโโ traindeployermodel.py
โ โ โโโ model_utils.py
โ โ
โ โโโ cli_token.py
โ โโโ cli_deployer.py
โ โโโ clifetchand_score.py
โ
โโโ artifacts/
โ โโโ deployer_model.joblib # created after ML training
โ
โโโ requirements.txt
โโโ README.md
Installation & Setup
# 1. Clone repo
git clone https://github.com/AmirhosseinHonardoust/onchain-security-suite.git
cd onchain-security-suite
2. Create virtual environment (recommended)
python -m venv .venv
.\.venv\Scripts\activate # on Windows
3. Install dependencies
pip install -r requirements.txt
Dependencies include:
requests, for Etherscan V2 APIscikit-learn, for ML modeljoblib, for saving/loading models
Token Risk Auditor (Static Analyzer)
Goal
Analyze a single token contract (ERC-20โstyle) and estimate:
- How dangerous its logic is
- Whether it contains classic rugpull mechanics
- A numeric risk score + qualitative label
Patterns Detected
The token auditor focuses on structural and semantic red flags, such as:
- Owner Minting
function mint(uint256 amount) public onlyOwner { ... }
* Red flag: Owner can unilaterally increase supply โ dumping risk.
- General Mint Functions
function mint(address to, uint256 amount) external { ... }
* Without clear access control, this is dangerous.
- Fee Manipulation
function setFee(uint256 _newFee) external onlyOwner { ... }
* Allows future tax changes (from 5% to 90% after listing).
- Blacklisting / Whitelisting
mapping(address => bool) public isBlacklisted;
* Can be used to trap specific users.
- Trading Locks
bool public tradingOpen;
* If the owner controls this flag, they can freeze trading.
- Max Transaction Limits (maxTx)
uint256 public maxTxAmount;
* Can be used to prevent selling or force tiny sells only.
These patterns are implemented as regex rules in token_auditor/features.py.
Feature Extraction
Example (simplified):
features = {
"n_lines": 143.0,
"n_public": 6.0,
"n_external": 1.0,
"has_mint": 1.0,
"hasownermint": 1.0,
"hassetfee": 1.0,
"has_blacklist": 0.0,
"hastradinglock": 1.0,
"hasmaxtx": 0.0,
}
We capture:
- Structural features:
n_lines: lines of code
* n_public: number of occurrences of public
* n_external: number of occurrences of external
- Pattern features:
hasownermint
* hassetfee
* has_blacklist
* hastradinglock
* hasmaxtx
Risk Scoring Logic
The core idea is a weighted feature sum:
Where:
= feature (0 or 1 for patterns, numeric for others)
= risk weight
hasownermintโ +40has_mint(non-owner) โ +20hassetfeeโ +25has_blacklistโ +20hastradinglockโ +25hasmaxtxโ +15n_lines > 800โ +15n_lines > 300โ +8
[0, 100].
Risk Levels
0โ20โ Low, labelsafe21โ60โ Medium, labelsuspicious61โ100โ High, labelrugpull_candidate
{
"file": "rugpulltoken1.sol",
"features": { ... },
"risk_score": 100,
"risk_level": "High",
"label": "rugpull_candidate"
}
How to Run
python -m src.clitoken --file data/tokens/rugpulltoken_1.sol
Deployer Reputation Engine (ML Model)
A single token is not the whole story. The deployer might have:
- a history of safe tokens
- a history of multiple rugpulls
- mixed behavior
Deployer-Level Features
For each deployer address, we track:
n_contracts, number of known deployed contractsn_safe, how many were labeledsafen_suspiciousnrugpull, labeledrugpullcandidatefracsafe=nsafe / n_contractsfracrugpull=nrugpull / n_contracts
src/reputation/features.py
Labeling Strategy
For training the initial model, we use a simple, interpretable rule:
- If
n_rugpull >= 2โ label1(bad deployer) - Else โ label
0(good/neutral deployer)
Model Architecture
We use:
RandomForestClassifiern_estimators = 200class_weight = "balanced"
- Handles mixed numeric features well
- Gives feature importances
- Robust to outliers
- Easy to interpret and explain
From Probability to Risk Categories
The model outputs
We convert that to a risk_score and label:
probbad = mlscore(features)
riskscore = int(round(probbad * 100))
Mapping:
risk_score <= 25โLow,trusted26โ60โMedium,watchlist61โ100โHigh,high_risk
{
"features": { ... },
"score": 87,
"risk_class": "High",
"label": "high_risk"
}
Machine Learning Training Pipeline
The training script is:
src/ml/traindeployermodel.py
- Load
data/deployers_example.json - Aggregate features per deployer
- Build
X(features) andy(labels) - Train RandomForest
- Save model to
artifacts/deployer_model.joblib - Print feature importances
How to Run
python -m src.ml.traindeployermodel
You must do this once before using the ML-based deployer reputation, so that artifacts/deployer_model.joblib exists.
Etherscan V2 Integration
The Etherscan integration lives in:
src/etherscan_integration/fetcher.pysrc/etherscanintegration/buildhistory.py
https://api.etherscan.io/v2/api
with parameters:
chainid(1 for Ethereum mainnet)moduleactionaddressapikey
Fetching Transactions
We use:
module = account
action = txlist
This returns all transactions related to an address. We then filter for those with a contractAddress field, these correspond to contracts that were created (i.e. deployed).
Fetching Contract Source Code
For each contractAddress, we use:
module = contract
action = getsourcecode
If the contract is verified on Etherscan:
- We get a
SourceCodefield with Solidity code - We pass this into
tokenauditor.auditsource()
- We skip it (no source to analyze)
Building Deployer History Automatically
The function:
buildhistoryfordeployer(deployer, apikey)
performs:
- Fetch txs by deployer
- Filter contract creation txs
- For each contract:
address, label, riskscore, risklevel
Output structure:
{
"0xDEPL...": {
"contracts": [
{
"address": "0xCONTRACT1",
"label": "rugpull_candidate",
"risk_score": 90,
"risk_level": "High"
},
...
]
}
}
save_history() writes this to a JSON file so it can be used by the ML reputation engine.
Solidity Registries
TokenAuditRegistry.sol
This contract stores audits per token (by bytes32 tokenId, which could be a hash of the token address).
Fields stored:
score(0โ100)level(Low,Medium,High)label("rugpull_candidate")detailsJson(optional, full feature set)auditor(who submitted the result)timestamp
submitAudit(tokenId, score, level, label, detailsJson)getAudit(tokenId)
DeployerReputationRegistry.sol
This contract stores deployer reputation:
score(0โ100)riskClass(Low,Medium,High)label(trusted,watchlist, etc.)numContractslastUpdatedupdater(who wrote the entry)
updateReputation(deployer, score, riskClass, label, numContracts)getReputation(deployer)
CLI Tools & Workflows
1. Token Auditor CLI
python -m src.clitoken --file data/tokens/rugpulltoken_1.sol
Use this when:
- You have a local token contract file
- You want a quick static risk assessment
2. Deployer Reputation CLI (Offline Dataset)
python -m src.clideployer --data data/deployersexample.json
Or, for a single deployer:
python -m src.clideployer --data data/deployersexample.json --deployer 0xDEADDEAD...
Use this when:
- You already have a JSON mapping
deployer โ contracts + labels - You want to test the ML scoring independently of Etherscan
3. Etherscan Fetch + Score CLI
python -m src.clifetchandscore --deployer <0xDEPL...> --apikey <YOURETHERSCANAPI_KEY>
This does:
[1/2]Fetch contracts by deployer from Etherscan V2- For each verified contract:
data/deployer_<address>.json
[2/2]Run ML-based reputation scoring using that JSON- Print final score + label for that deployer
End-to-End Example Flow
Full pipeline:
- Train ML model (once):
python -m src.ml.traindeployermodel
- Audit a local token:
python -m src.clitoken --file data/tokens/suspicioustoken_1.sol
- Score example deployers (offline data):
python -m src.clideployer --data data/deployersexample.json
- Fetch + analyze a real deployer from Etherscan:
python -m src.clifetchandscore --deployer 0xYOURDEPLOYER --apikey YOURAPIKEY
- (Optional) Upload scores to on-chain registry via Remix / Hardhat scripts.
Assumptions & Limitations
This suite is powerful, but not magic. Key limitations:
- Static Analysis Only
* Liquidity removal * Price manipulation * MEV attacks
- Heuristic Token Labeling
- Synthetic Training Data
* Collect real deployer histories * Use ground-truth scam labels
- Etherscan Constraints
These limitations are explicitly documented so the project is realistic and honest.
Ideas for Extension
Some natural extensions you can build next:
- Use AST-based parsing instead of regex
- Attach SHAP to the RandomForest model for explainable reputation
- Add token similarity clustering (token โfamiliesโ)
- Integrate CodeBERT/LLM-based code embeddings
- Support multiple chains (BSC, Polygon, Arbitrum, Base) with other explorers
- Build a small web dashboard using FastAPI + React
- Build an on-chain oracle that serves reputation scores to DApps
Roadmap
- [ ] Multichain explorer integrations
- [ ] More complex ML labeling logic
- [ ] Deployable Docker image
- [ ] Web dashboard visualization
- [ ] Integration with wallets (warn user on high-risk tokens)
- [ ] Batch scanning of new token deployments
- [ ] Automatic push to DeployerReputationRegistry on each score update
License
This project is released under the MIT License. You are free to use it, modify it, and build on top of it.
Contributions
Contributions are welcome. Ideas:
- New risk patterns for the token auditor
- Better ML models or ensembles
- Real-world datasets (scrubbed & anonymized)
- Documentation improvements
- Hardhat deployment scripts
- Visualization tools
Summary
The On-Chain Security Suite demonstrates how to combine:
- Smart-contract understanding
- Pattern-based security
- Machine learning
- Live blockchain data
- On-chain registries