A lightweight static analysis engine for Solidity smart contracts. Extracts code features, detects dangerous patterns (delegatecall, tx.origin, call.value), computes heuristic risk scores, and classifies contracts into Low/Medium/High risk levels. Includes multiple example vulnerabilities and a clean CLI for rapid security assessment.
Smart Contract Risk Analyzer
Static analysis + heuristic risk scoring for Solidity smart contracts
Overview
Smart Contract Risk Analyzer is a lightweight, extensible static analysis tool for auditing Solidity contracts. It uses rule-based heuristics, pattern detection, and surface-level code metrics to produce:
- A risk score (0โ100)
- A risk level (Low / Medium / High)
- A detailed feature breakdown extracted from the contractโs source code
- A cryptographic source hash for traceability
Why This Project Exists
Security is the #1 priority in smart contract development. Even simple mistakes, like unsafe access control, reentrancy windows, or misuse of delegatecall, can lead to millions in losses.
Most developers:
- Donโt have access to high-end auditing tools
- Donโt know how to build static analyzers
- Want a lightweight tool they can run locally
- A simple CLI-based analyzer
- A dangerous-pattern detector
- A clear scoring system
- A set of sample vulnerable contracts
- A structure designed for future expansion
Features
Static Feature Extraction
The analyzer extracts:
| Feature | Meaning | | ------------------ | ---------------------------------------------- | | n_lines | Total number of code lines (size/complexity) | | n_payable | Count of payable functions | | has_delegatecall | High-risk opcode for proxy & dynamic execution | | hascallvalue | Deprecated low-level call pattern | | hastxorigin | Critical access-control vulnerability |
Heuristic Risk Scoring
Risk score out of 100, based on:
- High-risk opcodes
- Misleading patterns
- Exposure surfaces
- Code size
Scoring rules (current version)
| Pattern | Score | | --------------------------------- | ----- | | delegatecall | +50 | | tx.origin | +40 | | call.value | +30 | | Many payable functions (>3) | +25 | | Some payable functions (>0) | +5 | | Large contracts (>100 lines) | +5 | | Very large contracts (>300 lines) | +15 |
Risk buckets:
- 0โ20 โ Low
- 21โ60 โ Medium
- 61โ100 โ High
Built-In Example Contracts
The project includes multiple real security scenarios:
- Safe contract
- Many-payable (expanded attack surface)
- Delegatecall vulnerability
- Proxy pattern
- Reentrancy vulnerability
- Access-control bug
- Oracle manipulation bug
- More...
Project Structure
smart-contract-risk-analyzer/
โโโ contracts/
โ โโโ RiskRegistry.sol # (optional, not used)
โโโ data/
โ โโโ examples/ # All test Solidity contracts
โ โโโ safe_contract.sol
โ โโโ medium_risk.sol
โ โโโ highriskdelegatecall.sol
โ โโโ reentrancy_vuln.sol
โ โโโ oracle_manipulation.sol
โ โโโ proxy_contract.sol
โ โโโ accesscontrolbug.sol
โ โโโ sample_contract.sol
โโโ src/
โ โโโ analyzer/
โ โ โโโ features.py # feature extraction
โ โ โโโ risk.py # scoring engine
โ โโโ cli.py # CLI entry point
โโโ scripts/
โ โโโ train_model.py # placeholder
โ โโโ analyzeandregister.py # placeholder
โโโ templates/
โโโ report.html # placeholder
Quick Start
1. Install
cd smart-contract-risk-analyzer
python -m venv .venv
.\.venv\Scripts\activate # Windows
pip install -r requirements.txt # (optional; no dependencies required yet)
2. Run the analyzer
python src\cli.py --file data\examples\sample_contract.sol
3. Output example
{
"source_hash": "1da354a9b...",
"features": {
"n_lines": 16,
"n_payable": 0,
"has_delegatecall": 1,
"hascallvalue": 0,
"hastxorigin": 1
},
"risk_score": 90,
"risk_level": "High"
}
Detailed Analysis of Included Contracts
Below is a breakdown of how the analyzer evaluates each contract.
1. safe_contract.sol, Safe Contract
No dangerous patterns Simple owner-withdraw logic Some payable functions but low quantity Risk: Low (score ~5)
2. medium_risk.sol, Many Payable Functions
No dangerous opcodes 5+ payable functions โ expanded attack surface Risk: Medium (score ~25)
3. highriskdelegatecall.sol, Critical Security Risks
Contains two extremely dangerous patterns:
delegatecalltx.originfor authorization
Risk: High (score ~90)
4. reentrancy_vuln.sol, Classic Reentrancy Bug
Calls:
(bool ok,) = msg.sender.call{value: amount}("");
Effect-before-interaction, making it reentrancy-vulnerable. Current version does not yet detect this, but future improvements will.
Risk (current): LowโMedium (score ~5) Risk (real-world): High
5. accesscontrolbug.sol, Anyone Can Change Owner
function setOwner(address newOwner) public {
owner = newOwner;
}
There is no require(msg.sender == owner) check. Current heuristics do NOT yet detect this.
Risk (current): Low (score ~0) Risk (actual): High
6. oracle_manipulation.sol, Open Price Oracle
Anyone can update the price.
Again: current heuristics do NOT detect this.
Risk (current): Low Risk (actual): MediumโHigh
7. proxy_contract.sol, Upgradeable Proxy
Legitimate use of delegatecall, but still inherently dangerous.
Risk: Medium (score ~55)
How to Improve the Analyzer
The analyzer is intentionally simple. Hereโs how you can extend it:
1. Add more pattern detectors
- Detect
call{value:...}syntax - Detect unprotected setters
- Detect missing
require()on critical operations - Detect unsafe
publicvariables - Detect unguarded external calls
2. Use an AST parser
Replace regex with:
solidity-parser-antlr(Node.js)slitherJSON AST outputtree-sitter-solidity
3. Add ML model (RandomForest/XGBoost)
Steps:
- Compute features for all example contracts
- Label them manually (
Low/Medium/High) - Train a classifier
- Replace heuristics with prediction
4. Generate HTML/PDF Reports
Use Jinja2 + templates to create:
- contract summary
- risk indicators
- function-level breakdown
- recommendations
Roadmap
| Feature | Status | | --------------------------------- | ------ | | Static feature extraction | Done | | Heuristic scoring engine | Done | | CLI interface | Done | | Built-in sample contracts | Done | | ML-based scoring | Next | | AST-based analysis | Next | | Web interface | Planned | | Report generation | Planned | | Rule-based vulnerability patterns | Planned |