aizen299/smart-contract-auditor

# ChainAudit 生产级智能合约安全扫描器。上传 Solidity 文件或 zip 压缩包，即可获取包含风险评分、ML 可利用性预测以及感知 L2/Arbitrum/Optimism 的审计报告。 [](https://pypi.org/project/chainaudit/) [](https://github.com/aizen299/smart-contract-auditor/actions) [](LICENSE) ## 安装说明 ### Mac / Linux / Ubuntu ``` pip install chainaudit pip install slither-analyzer pip install solc-select solc-select install 0.8.24 solc-select use 0.8.24 ``` ### Windows ``` pip install chainaudit pip install slither-analyzer pip install solc-select solc-select install 0.8.24 solc-select use 0.8.24 ``` ## 技术栈 | | | |---|---| | Frontend | Next.js 14, TypeScript, Tailwind CSS | | Backend | FastAPI, Python 3.11 | | Analysis | Slither, solc-select, CVSS 启发式评分 | | ML | Random Forest — 88% 准确率 (SmartBugs dataset) | | Auth | Supabase — email, GitHub, Google OAuth | | Deploy | Vercel + Render | | CI/CD | GitHub Actions + GitHub Marketplace Action | ## GitHub Action 在任意 CI pipeline 中使用 ChainAudit： ``` - uses: aizen299/smart-contract-auditor@v1 with: target: contracts/ fail-on-critical: true ``` 输出：`risk-score`, `total-findings`, `critical-count`, `high-count`, `report-path` ## CLI ``` chainaudit scan contract.sol # single file chainaudit scan ./contracts --recursive # directory chainaudit scan contracts.zip # zip archive chainaudit scan contract.sol --json # JSON output chainaudit scan contract.sol --ml-only # skip simulation chainaudit --version # show version ``` 发现 CRITICAL 级别问题时退出码为 `1` — 在 CI 中阻断部署。 ## 本地开发 ``` # Backend cd backend python -m venv .venv && source .venv/bin/activate pip install -r requirements.txt uvicorn api:app --reload # Frontend cd frontend npm install && npm run dev ``` **`frontend/.env.local`** ``` NEXT_PUBLIC_SUPABASE_URL=your_supabase_url NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key NEXT_PUBLIC_API_URL=http://localhost:8000 ``` **Docker** ``` cp docker-compose.example.yml docker-compose.yml docker compose up --build ``` ## API `POST /scan` — 单个 `.sol` 文件 `POST /scan/zip` — 多个合约（最多 20 个文件，5MB） ``` { "risk_score": 86, "total_findings": 6, "findings": [ { "title": "Reentrancy", "severity": "CRITICAL", "ml_exploitability": "CRITICAL", "ml_confidence": 0.96, "occurrences": 7, "chain": "arbitrum", "l2_detected": true } ] } ``` ## 漏洞覆盖范围 **EVM (所有链) — 16 条规则** | 严重程度 | 规则 | |----------|-------| | CRITICAL | Reentrancy, Reentrancy with Unlimited Gas, Controlled Delegatecall | | HIGH | Unchecked Token Transfer, Arbitrary ETH Send, Weak Randomness, tx.origin Auth, Selfdestruct Risk, Access Control, Unchecked Low-level Call | | MEDIUM | Timestamp Dependence, Unchecked Send, Deprecated Standards | | LOW | Missing Zero Check, Incorrect Equality, Missing Events, Naming Convention | **L2 / Arbitrum / Optimism — 12 条规则** | 严重程度 | 规则 | |----------|-------| | CRITICAL | Cross-Chain Replay Attack, Bridge Reentrancy, Proxy Storage Collision, msg.value Misuse | | HIGH | L2 Block Number Assumption, L2 Timestamp Assumption, Sequencer Dependence, Address Aliasing, Unvalidated Bridge Sender | | MEDIUM | Force-Include Griefing, Gas Price Assumption, Optimism Deposit Griefing | L2 规则通过**自动检测**激活 —— 扫描器会读取合约源码以查找 Arbitrum/Optimism 标识符（`ArbSys`, `xDomainMessageSender`, `IL2Bridge` 等），并自动注入针对特定链的发现。 ## ML Pipeline 基于 SmartBugs 数据集（143 个合约，10 个漏洞类别）训练。Random Forest 分类器针对每项发现预测可利用性及置信度分数。总体准确率 88% —— HIGH 精确率 95%，CRITICAL 精确率 93%。 ## 部署 | | 平台 | URL | |--|---------|-----| | Frontend | Vercel | chainaudit.vercel.app | | Backend | Render | smart-contract-auditor-812q.onrender.com | | Uptime | UptimeRobot | `/health` 每 5 分钟 ping 一次 | ## 路线图 - [x] 16 条 EVM 漏洞规则 + CVSS 评分 - [x] 12 条 L2/Arbitrum/Optimism 规则及自动检测 - [x] ML 可利用性预测 - [x] 多合约 zip 扫描 - [x] Supabase auth + 扫描历史 - [x] CLI 工具 — `chainaudit scan` - [x] PyPI — `pip install chainaudit` - [x] GitHub Marketplace Action - [x] Docker, Vercel + Render, CI/CD - [ ] Solana / Rust 支持 - [ ] 商业化 — 免费/专业版分级，Stripe 计费 - [ ] 企业版 API keys

标签：Apex, Arbitrum, AV绕过, CI/CD安全, DeFi安全, FastAPI, GitHub Action, Layer2安全, Llama, Optimism, Python, SAST, Slither, Solidity, TypeScript, Web3安全, Web报告查看器, 云安全监控, 代码生成, 以太坊开发, 区块链安全, 安全插件, 对称加密, 文档安全, 无后门, 智能合约审计, 机器学习, 渗透测试工具, 漏洞预测, 盲注攻击, 自动化审计, 请求拦截, 逆向工具, 静态分析