Skip to main content
Glama
Baneado98

contract-auditor

by Baneado98
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Hybrid

contract-auditor 🛡️

Quick-scan a smart contract for rug / honeypot / centralization risk before you approve or send funds.

contract-auditor is an MCP server and a pay-per-call x402 HTTP API. Give it a deployed contract address + chain (or raw Solidity source) and it returns a SAFE / CAUTION / HIGH-RISK verdict with an explained risk score.

It combines three things an AI agent can't gather on its own from a chat:

  1. Verified source from Sourcify (key-less, multi-chain) — or the absence of it (a strong red flag).

  2. Live on-chain state via public RPC — is there code at all? Is it an upgradeable proxy (owner can swap the code)? Who is the owner, and is it a single EOA, a multisig, or renounced?

  3. Heuristic Solidity scan for the real ways a contract takes or freezes your funds.

⚠️ Heuristic quick-scan, not a formal audit. Absence of findings is not proof of safety. Always do your own research before sending funds.

What it catches

🔁 Upgradeable proxy

EIP-1967 / 1167 / beacon — the owner can replace the audited code

👑 Owner powers

mint, pause, blacklist, owner-adjustable fees/tax, max-tx limits, trading on/off, withdraw/sweep

💀 Dangerous primitives

selfdestruct, delegatecall, tx.origin auth, arbitrary external calls, inline assembly

🍯 Honeypot signals

can't-sell patterns: blacklist + uncapped tax + trading switch + wallet/tx caps

🔓 Owner status

live on-chain: renounced, single EOA (one key), or multisig/timelock?

Unverified

no verified source on Sourcify = you can't read what you're trusting

Related MCP server: base-security-scanner-mcp

Use as an MCP server (free)

{
  "mcpServers": {
    "contract-auditor": { "command": "npx", "args": ["-y", "contract-auditor-mcp"] }
  }
}

Tool: audit_contract — params: address, chain (alias or chainId), source (optional raw Solidity), deep (boolean).

Or connect over HTTP at POST /mcp.

Free HTTP API

GET https://contract-auditor-ivory.vercel.app/audit?address=0xdAC17F958D2ee523a2206206994597C13D831ec7&chain=ethereum
GET https://contract-auditor-ivory.vercel.app/audit?address=0x...&chain=base

Supported chains: ethereum, base, optimism, arbitrum, polygon, bsc, avalanche, gnosis, celo (or a numeric chainId). Free tier is rate-limited to 30 requests/hour/IP.

Pay-per-call (x402)

The /pro/audit route is gated by x402. Your agent pays $0.25 USDC per call automatically — no sign-up, no API key — settling on-chain (USDC on Base) to the operator wallet.

GET /pro/audit?address=0x...&chain=ethereum   # 402 → pay → result

How it works (honest about the limits)

  • Source is fetched from Sourcify by (chainId, address). If a contract is only verified on a native explorer and not mirrored to Sourcify, it shows as unverified here — pass the source directly to scan it.

  • On-chain checks use public RPCs (best-effort, community endpoints). If a chain's RPC is briefly down the audit degrades to a source-only verdict.

  • The Solidity scan is static pattern/heuristic analysis with comment-stripping and owner-gating context. It is tuned for low false-alarm on well-known patterns, but it is not symbolic execution or a formal verifier.

License

MIT

Install Server
A
license - permissive license
A
quality
B
maintenance

How are these scores calculated?

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Baneado98/contract-auditor'

If you have feedback or need assistance with the MCP directory API, please join our Discord server