Contract audit
Triage a smart contract before an agent interacts with it: verified source, heuristic vulnerability scan, known-address check, function-selector resolution, and a read-only dry-run of the exact call you plan to make.
When to use this pack
An agent is about to approve, transfer, or call an unfamiliar contract — you want the verified source scanned for red flags, the address checked against known labels, and the intended calldata simulated before anything is signed or broadcast.
Tools in this pack
- Verified contract source (Sourcify) $0.005 POST /api/contract-source Fetch the verified Solidity source files and compiler metadata for a contract address from Sourcify's open verification repository. Covers 8 EVM mainnets (ethereum, base, polygon, arbitrum, optimism, bsc, gnosis, celo). Contracts that were never verified return a structured {verified:false} miss, not an error. Feed the returned source into /api/solidity-scan for a heuristic pattern check.
- Solidity heuristic pattern scan $0.01 POST /api/solidity-scan Deterministic static pattern scan of Solidity source text — a fixed ruleset flagging tx.origin authentication, delegatecall, selfdestruct, unchecked low-level calls, unchecked .send(), floating pragmas, block-timestamp dependence, weak block-derived randomness, value-call reentrancy surface, inline assembly, ecrecover, and missing SPDX headers. Returns line-anchored findings with severities. This is a heuristic pattern check for triage — it is NOT a compiler, NOT a formal audit, and uses no AI. Pair with /api/contract-source to scan any verified contract.
- Function selector / event topic lookup $0.002 POST /api/selector-lookup Resolve a 4-byte function selector or a 32-byte event topic hash to its known human-readable signatures, via the openchain.xyz signature database with 4byte.directory as fallback. Unknown selectors return {found:false} with an empty list, not an error.
- Known-address label lookup $0.002 POST /api/address-label Label a known EVM address from a curated, committed dataset: major stablecoin + token contracts (USDC on every chain we settle on, USDT, DAI, WETH, WBTC), DEX routers (Uniswap, 1inch, 0x), canonical L1↔L2 bridges, large exchange hot/cold wallets, and burn/system addresses. Deterministic and offline — the provenance field states the dataset revision. Unknown addresses return {found:false}, not an error.
- Transaction simulation (eth_call + gas) $0.005 POST /api/tx-simulate Dry-run a prospective transaction without broadcasting it: executes eth_call and eth_estimateGas against the latest block over the same keyless multi-endpoint public RPC pool as /api/evm-rpc (ethereum, base, polygon, arbitrum, optimism). Returns the return data and a gas estimate on success, or {success:false} with the revert reason when the call would fail. Strictly read-only — nothing is signed or broadcast.
Workflow
- Fetch the verified Solidity source and compiler metadata from Sourcify via contract-source — an unverified contract is itself a finding.
- Run solidity-scan over the returned source for line-anchored heuristic findings: tx.origin auth, delegatecall, selfdestruct, unchecked calls, weak randomness, and more.
- Resolve the 4-byte selector of the calldata you plan to send with selector-lookup so you know exactly which function it hits.
- Check the address against the curated known-address dataset with address-label — is this the real token/router/bridge or an impostor?
- Dry-run the exact call with tx-simulate (eth_call + gas estimate, strictly read-only) to see whether it succeeds or reverts before anything is signed.
Run it in Claude
claude mcp add agent402 -s user -- npx -y agent402-mcp@latest
Then paste this prompt into Claude:
Audit the contract 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 on base before interacting with it, using Agent402's contract-audit skill pack. (1) Fetch the verified source from Sourcify, (2) run the heuristic Solidity scan over it, (3) resolve the selector of the planned calldata 0x70a08231000000000000000000000000abf4fabd7c416fb67202e5f9002389fc75e2a9d0, (4) check the address against known labels, (5) simulate the call read-only. Report: verification status, scan findings by severity, what the calldata does, whether the address is a known contract, and the dry-run verdict.